VulnerableCode Package Details - pkg:maven/org.keycloak/keycloak-services@26.6.1

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-mdkf-3bgs-w7dm	Keycloak Server-Side Request Forgery via OIDC token endpoint manipulation A flaw was found in Keycloak. An authenticated attacker can perform Server-Side Request Forgery (SSRF) by manipulating the `client_session_host` parameter during refresh token requests. This occurs when a Keycloak client is configured to use the `backchannel.logout.url` with the `application.session.host` placeholder. Successful exploitation allows the attacker to make HTTP requests from the Keycloak server’s network context, potentially probing internal networks or internal APIs, leading to information disclosure.	CVE-2026-4874 GHSA-22rm-wp4x-v5cx
VCID-ugtk-3bjv-s3a4	Keycloak has Improper Access Control allows attackers with valid credentials to bypass the allowRemoteResourceManagement=false A flaw was found in Keycloak. An improper Access Control vulnerability in Keycloak’s User-Managed Access (UMA) resource_set endpoint allows attackers with valid credentials to bypass the allowRemoteResourceManagement=false restriction. This occurs due to incomplete enforcement of access control checks on PUT operations to the resource_set endpoint. This issue enables unauthorized modification of protected resources, impacting data integrity.	CVE-2026-4628 GHSA-4pgc-gfrr-wcmg

Vulnerability

Summary

Aliases

VCID-mdkf-3bgs-w7dm

Keycloak Server-Side Request Forgery via OIDC token endpoint manipulation A flaw was found in Keycloak. An authenticated attacker can perform Server-Side Request Forgery (SSRF) by manipulating the `client_session_host` parameter during refresh token requests. This occurs when a Keycloak client is configured to use the `backchannel.logout.url` with the `application.session.host` placeholder. Successful exploitation allows the attacker to make HTTP requests from the Keycloak server’s network context, potentially probing internal networks or internal APIs, leading to information disclosure.

CVE-2026-4874
GHSA-22rm-wp4x-v5cx

VCID-ugtk-3bjv-s3a4

Keycloak has Improper Access Control allows attackers with valid credentials to bypass the allowRemoteResourceManagement=false A flaw was found in Keycloak. An improper Access Control vulnerability in Keycloak’s User-Managed Access (UMA) resource_set endpoint allows attackers with valid credentials to bypass the allowRemoteResourceManagement=false restriction. This occurs due to incomplete enforcement of access control checks on PUT operations to the resource_set endpoint. This issue enables unauthorized modification of protected resources, impacting data integrity.

CVE-2026-4628
GHSA-4pgc-gfrr-wcmg

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-29T23:33:17.803984+00:00	GitLab Importer	Fixing	VCID-mdkf-3bgs-w7dm	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.keycloak/keycloak-services/CVE-2026-4874.yml	38.5.0
2026-04-29T23:30:31.748459+00:00	GitLab Importer	Fixing	VCID-ugtk-3bjv-s3a4	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.keycloak/keycloak-services/CVE-2026-4628.yml	38.5.0
2026-04-27T15:33:57.647167+00:00	GitLab Importer	Fixing	VCID-mdkf-3bgs-w7dm	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.keycloak/keycloak-services/CVE-2026-4874.yml	38.4.0
2026-04-25T02:07:33.537216+00:00	GitLab Importer	Fixing	VCID-ugtk-3bjv-s3a4	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.keycloak/keycloak-services/CVE-2026-4628.yml	38.4.0