Search for packages
| purl | pkg:maven/org.keycloak/keycloak-services@26.1.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-1rp9-hqyn-vqh8
Aliases: CVE-2025-3910 GHSA-5jfq-x6xp-7rw2 |
Keycloak vulnerable to two factor authentication bypass # Description A flaw was found in Keycloak. The org.keycloak.authorization package may be vulnerable to circumventing required actions, allowing users to circumvent requirements such as setting up two-factor authentication. |
Affected by 5 other vulnerabilities. |
|
VCID-5s6v-un5w-qyg4
Aliases: GHSA-gj52-35xm-gxjh |
Duplicate Advisory: Keycloak phishing attack via email verification step in first login flow ### Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-xhpr-465j-7p9q. This link is maintained to preserve external references. ### Original Description A flaw was found in Keycloak. When an authenticated attacker attempts to merge accounts with another existing account during an identity provider (IdP) login, the attacker will subsequently be prompted to "review profile" information. This vulnerability allows the attacker to modify their email address to match that of a victim's account, triggering a verification email sent to the victim's email address. The attacker's email address is not present in the verification email content, making it a potential phishing opportunity. If the victim clicks the verification link, the attacker can gain access to the victim's account. |
Affected by 2 other vulnerabilities. |
|
VCID-7363-ze97-87et
Aliases: CVE-2025-2559 GHSA-2935-2wfm-hhpv |
Keycloak Denial of Service (DoS) Vulnerability via JWT Token Cache A flaw was found in Keycloak. When the configuration uses JWT tokens for authentication, the tokens are cached until expiration. If a client uses JWT tokens with an excessively long expiration time, for example, 24 or 48 hours, the cache can grow indefinitely, leading to an OutOfMemoryError. This issue could result in a denial of service condition, preventing legitimate users from accessing the system. |
Affected by 7 other vulnerabilities. |
|
VCID-7nhn-26zx-4fam
Aliases: GHSA-83j7-mhw9-388w |
Duplicate Advisory: Keycloak Privilege Escalation Vulnerability in Admin Console (FGAPv2 Enabled) ### Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-27gp-8389-hm4w. This link is maintained to preserve external references. ### Original Description A flaw was found in the Keycloak identity and access management system when Fine-Grained Admin Permissions (FGAPv2) are enabled. An administrative user with the manage-users role can escalate their privileges to realm-admin due to improper privilege enforcement. This vulnerability allows unauthorized elevation of access rights, compromising the intended separation of administrative duties and posing a security risk to the realm. |
Affected by 1 other vulnerability. |
|
VCID-921n-kkxc-gyav
Aliases: GHSA-fx44-2wx5-5fvp |
Duplicate Advisory: Keycloak vulnerable to two factor authentication bypass # Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-5jfq-x6xp-7rw2. This link is maintained to preserve external references. # Original Description A flaw was found in Keycloak. The org.keycloak.authorization package may be vulnerable to circumventing required actions, allowing users to circumvent requirements such as setting up two-factor authentication. |
Affected by 5 other vulnerabilities. |
|
VCID-a24q-kvu5-2fe7
Aliases: CVE-2025-8419 GHSA-m4j5-5x4r-2xp9 GHSA-qj5r-2r5p-phc7 |
A vulnerability was found in Keycloak-services. Special characters used during e-mail registration may perform SMTP Injection and unexpectedly send short unwanted e-mails. The email is limited to 64 characters (limited local part of the email), so the attack is limited to very shorts emails (subject and little data, the example is 60 chars). This flaw's only direct consequence is an unsolicited email being sent from the Keycloak server. However, this action could be a precursor for more sophisticated attacks. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-c7hg-36fr-7ffe
Aliases: CVE-2025-3501 GHSA-hw58-3793-42gg |
Keycloak hostname verification A flaw was found in Keycloak. By setting a verification policy to 'ANY', the trust store certificate verification is skipped, which is unintended. |
Affected by 5 other vulnerabilities. |
|
VCID-cxc7-ub9z-tqgt
Aliases: GHSA-rq4w-cjrr-h8w8 |
Duplicate Advisory: Keycloak allows Incorrect Assignment of an Organization to a User # Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-gvgg-2r3r-53x7. This link is maintained to preserve external references. # Original Description A flaw was found in the Keycloak organization feature, which allows the incorrect assignment of an organization to a user if their username or email matches the organization’s domain pattern. This issue occurs at the mapper level, leading to misrepresentation in tokens. If an application relies on these claims for authorization, it may incorrectly assume a user belongs to an organization they are not a member of, potentially granting unauthorized access or privileges. |
Affected by 8 other vulnerabilities. |
|
VCID-p8xk-7q47-pbcp
Aliases: CVE-2025-1391 GHSA-gvgg-2r3r-53x7 |
Improper Authorization in Keycloak Organization Mapper Allows Unauthorized Organization Claims This vulnerability is caused by the improper mapping of users to organizations based solely on email/username patterns. The issue is limited to the token claim level, meaning the user is not truly added to the organization but may appear as such in applications relying on these claims. The risk increases in scenarios where self-registration is enabled and unrestricted, allowing an attacker to exploit the naming pattern. The issue is mitigated if admins restrict registration or use strict validation mechanisms. |
Affected by 8 other vulnerabilities. |
|
VCID-ydys-b2yz-rbgv
Aliases: GHSA-r934-w73g-v4p8 |
Duplicate Advisory: Keycloak hostname verification # Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-hw58-3793-42gg. This link is maintained to preserve external references. # Original Description A flaw was found in Keycloak. By setting a verification policy to 'ALL', the trust store certificate verification is skipped, which is unintended. |
Affected by 5 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-jgqy-unwr-myh7 | Keycloak phishing attack via email verification step in first login flow There is a flaw with the first login flow where, during a IdP login, an attacker with a registered account can initiate the process to merge accounts with an existing victim's account. The attacker will subsequently be prompted to "review profile" information, which allows the the attacker to modify their email address to that of a victim's account. This triggers a verification email sent to the victim's email address. If the victim clicks the verification link, the attacker can gain access to the victim's account. While not a zero-interaction attack, the attacker's email address is not directly present in the verification email content, making it a potential phishing opportunity. This issue has been fixed in versions 26.0.13, 26.2.6, and 26.3.0. |
CVE-2025-7365
GHSA-xhpr-465j-7p9q |