Red Hat Linux OS and other open source products
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in any Red Hat product.
RSS Feeds for Red Hat security vulnerabilities
Create a CVE RSS feed including security vulnerabilities found in Red Hat products with stack.watch. Just hit watch, then grab your custom RSS feed url.
Products by Red Hat Sorted by Most Security Vulnerabilities since 2018
Red Hat Enterprise Linux Server1534 vulnerabilities
RedHat Enterprise Linux (RHEL) Server. Includes software bundeled with RHEL server.
Red Hat Enterprise Linux Workstation1504 vulnerabilities
RedHat Enterprise Linux (RHEL) Workstation. Includes software bundled with RHEL Workstation.
Red Hat Enterprise Linux Desktop1493 vulnerabilities
RedHat Enterprise Linux (RHEL) Desktop. Includes software bundled with RHEL desktop
Recent Red Hat Security Advisories
| Advisory | Title | Published |
|---|---|---|
| RHSA-2026:23496 | (RHSA-2026:23496) Important: tigervnc security update | June 4, 2026 |
| RHSA-2026:23471 | (RHSA-2026:23471) Important: kpatch-patch-4_18_0-477_107_1, kpatch-patch-4_18_0-477_120_1, kpatch-patch-4_18_0-477_130_1, kpatch-patch-4_18_0-477_89_1, and kpatch-patch-4_18_0-477_97_1 security update | June 4, 2026 |
| RHSA-2026:23470 | (RHSA-2026:23470) Important: kpatch-patch-4_18_0-553_109_1, kpatch-patch-4_18_0-553_40_1, kpatch-patch-4_18_0-553_53_1, kpatch-patch-4_18_0-553_72_1, and kpatch-patch-4_18_0-553_85_1 security update | June 4, 2026 |
| RHSA-2026:23469 | (RHSA-2026:23469) Important: kpatch-patch-5_14_0-284_104_1, kpatch-patch-5_14_0-284_117_1, kpatch-patch-5_14_0-284_134_1, kpatch-patch-5_14_0-284_148_1, and kpatch-patch-5_14_0-284_158_1 security update | June 4, 2026 |
| RHSA-2026:23468 | (RHSA-2026:23468) Important: kpatch-patch-5_14_0-570_17_1, kpatch-patch-5_14_0-570_39_1, kpatch-patch-5_14_0-570_66_1, and kpatch-patch-5_14_0-570_94_1 security update | June 4, 2026 |
| RHSA-2026:23420 | (RHSA-2026:23420) Important: flatpak security update | June 4, 2026 |
| RHSA-2026:23419 | (RHSA-2026:23419) Important: flatpak security update | June 4, 2026 |
| RHSA-2026:23418 | (RHSA-2026:23418) Important: flatpak security update | June 4, 2026 |
| RHSA-2026:23417 | (RHSA-2026:23417) Important: flatpak security update | June 4, 2026 |
| RHSA-2026:21695 | (RHSA-2026:21695) Important: OpenShift Container Platform 4.12.91 bug fix and security update | June 4, 2026 |
By the Year
In 2026 there have been 1014 vulnerabilities in Red Hat with an average score of 7.0 out of ten. Last year, in 2025 Red Hat had 1134 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in Red Hat in 2026 could surpass last years number. However, the average CVE base score of the vulnerabilities in 2026 is greater by 0.46.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 1014 | 7.02 |
| 2025 | 1134 | 6.56 |
| 2024 | 1685 | 6.57 |
| 2023 | 1206 | 6.75 |
| 2022 | 1362 | 6.97 |
| 2021 | 1123 | 6.62 |
| 2020 | 663 | 6.39 |
| 2019 | 772 | 6.98 |
| 2018 | 760 | 7.16 |
It may take a day or so for new Red Hat vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Red Hat Security Vulnerabilities
| CVE | Date | Vulnerability | Products |
|---|---|---|---|
| CVE-2026-50263 | Jun 05, 2026 |
X.Org X Server AAF in CreateSaverWindow() (Xwayland)A use-after-free flaw was found in the X.Org X server and Xwayland in CreateSaverWindow(). A client can trigger a use-after-free read after changing window attributes and forcing the screen saver, leading to information disclosure. |
Enterprise Linux (RHEL)
|
| CVE-2026-50262 | Jun 05, 2026 |
X.Org XServer Xwayland OOB Read __glXDisp_ChangeDrawableAttributesAn out-of-bounds read flaw was found in the X.Org X server and Xwayland in __glXDisp_ChangeDrawableAttributes(). A wrong size validation check can read a client-controlled number of bytes, exceeding the request buffer, leading to information disclosure. A write path also exists but requires byte-swapped clients which is disabled by default. |
Enterprise Linux (RHEL)
|
| CVE-2026-50264 | Jun 05, 2026 |
X.Org X Server & Xwayland OOB Heap Write via DRI2 BuffersAn out-of-bounds write flaw was found in the X.Org X server and Xwayland in DRIGetBuffers/DRIGetBuffersWithFormat. A client that requests multiple DRI2BufferBackLeft attachments and one DRI2BufferFrontLeft can trigger an out-of-bounds heap write. This may be used to crash the server, or for privilege escalation if the X server runs as root. |
Enterprise Linux (RHEL)
|
| CVE-2026-50261 | Jun 05, 2026 |
UAF in X.Org X Server XWayland SyncChangeCounter()A use-after-free flaw was found in the X.Org X server and Xwayland in SyncChangeCounter(). A client that sets up multiple SyncCounters can trigger a use-after-free when destroying those counters via a second client connection while changing those counters. This may be used to crash the server, or for privilege escalation if the X server runs as root. |
Enterprise Linux (RHEL)
|
| CVE-2026-50260 | Jun 05, 2026 |
Use-after-free in X.Org X Server via SyncCountersA use-after-free flaw was found in the X.Org X server and Xwayland in FreeCounter(). A client that sets up multiple SyncCounters and awaits on those triggers can trigger a use-after-free when destroying those counters via a second client connection. This may be used to crash the server, or for privilege escalation if the X server runs as root. |
Enterprise Linux (RHEL)
|
| CVE-2026-50259 | Jun 05, 2026 |
Stack Buffer Overflow in X.Org X Server (_XkbSetMapChecks)A stack-based buffer overflow flaw was found in the X.Org X server and Xwayland. _XkbSetMapChecks() declares a fixed-size stack buffer mapWidths[256] indexed by key type index. The helper function CheckKeyTypes() writes to this buffer at a client-controlled offset, allowing a stack buffer overflow. This may be used to crash the server, or for privilege escalation if the X server runs as root. |
Enterprise Linux (RHEL)
|
| CVE-2026-50258 | Jun 05, 2026 |
CVE-2026-50258: Stack BOF in X.Org X Server & XwaylandA stack-based buffer overflow flaw was found in the X.Org X server and Xwayland. The X server has multiple stack buffers sized XkbMaxShiftLevel * XkbNumKbdGroups but CheckKeyTypes() does not verify or clamp non-canonical key types to XkbMaxShiftLevel. A client can change key types to excessive shift levels and trigger stack overflows. This is caused by an incomplete fix of CVE-2025-26597. This may be used to crash the server, or for privilege escalation if the X server runs as root. |
Enterprise Linux (RHEL)
|
| CVE-2026-50257 | Jun 05, 2026 |
X.Org X Server UAF via miSyncDestroyFence()A use-after-free flaw was found in the X.Org X server and Xwayland in miSyncDestroyFence(). A client that sets up multiple fence triggers can trigger a use-after-free function pointer call. An attacker would connect to the X server to set up a fence and await that fence, then a second X connection destroys the fence, causing the use-after-free. This may be used to crash the server, or for privilege escalation if the X server runs as root. |
Enterprise Linux (RHEL)
|
| CVE-2026-50256 | Jun 05, 2026 |
X.Org X Server: Stack Buffer Overflow via Font Alias Length Attack (CVE-2026-50256)A stack-based buffer overflow flaw was found in the X.Org X server and Xwayland. A mismatch between the X server and the libXfont2 library's maximum font name length can cause a stack buffer overflow during font alias resolution. The server allocates a 256 byte stack buffer but libXfont2's alias target name length is 1024 bytes. A font alias name between 257 and 1023 bytes causes the X server to copy that name into the undersized stack buffer without further checks. This may be used to crash the server, or for privilege escalation if the X server runs as root. |
Enterprise Linux (RHEL)
|
| CVE-2026-50265 | Jun 05, 2026 |
Root Privilege Elevation via libinput udev Property InjectionA flaw was found in libinput. A local attacker with access to /dev/uinput can inject arbitrary udev properties through the libinput-device-group helper. This injection can lead to root code execution, for example, by exploiting REMOVE_CMD properties that are executed when a device is removed. This vulnerability allows an attacker to gain elevated privileges on the system. |
Enterprise Linux (RHEL)
|
| CVE-2026-11332 | Jun 05, 2026 |
ansible-core Role Install Git Flag Injection (CVE-2026-11332)A flaw was found in ansible-core. The ansible-galaxy role install command processes dependency specifications from a role's meta/requirements.yml file. Due to improper neutralization of argument delimiters, a malicious role author can inject arbitrary git configuration flags through the src field. This allows arbitrary code execution on the machine of a user who installs the role via ansible-galaxy role install. |
Ansible Automation Platform
|
| CVE-2026-9088 | Jun 05, 2026 |
Keycloak group-member endpoint bypass leads to info disclosure (CVE20269088)A flaw was found in org.keycloak.services. An administrator with delegated access to read group memberships and users can bypass user profile permissions by accessing the group members endpoint. This allows the administrator to view user attributes that are explicitly configured to be denied, leading to information disclosure. |
Build Keycloak
|
| CVE-2026-10843 | Jun 04, 2026 |
OpenShift Cloud Credential Operator IAM Escalation via AccWide PoliciesA flaw was found in the OpenShift Cloud Credential Operator Mint-mode IAM policies for AWS. Operator credentials are provisioned with account-wide scope for destructive actions rather than being restricted to cluster-owned resources, enabling cross-scope impact after credential compromise. |
Openshift
|
| CVE-2026-10840 | Jun 04, 2026 |
OpenShift Pipelines PrivEsc via Tekton Scheduler RBA flaw was found in the OpenShift Pipelines operator. The tekton-scheduler-rolebinding ClusterRoleBinding grants the system:authenticated group write access to Kueue and cert-manager custom resources via the tekton-scheduler-role ClusterRole. When Kueue or cert-manager CRDs are present on the cluster, any authenticated user can disrupt workload scheduling, tamper with scheduling priorities, delete other tenants' Workload objects, or induce cert-manager to overwrite TLS Secrets including the default ingress controller certificate. |
Openshift Builds
Openshift Pipelines
|
| CVE-2026-10805 | Jun 04, 2026 |
Local Priv Escalation via Malformed MUD URLs in NetworkManager's dhclientA flaw was found in NetworkManager. This local privilege escalation vulnerability exists in NetworkManager's dhclient backend when processing malformed Manufacturer Usage Description (MUD) URLs. A local user can exploit this flaw to escalate privileges by triggering a script via a crafted MUD URL, provided an administrator has explicitly configured NetworkManager to use dhclient. This issue does not affect default configurations of NetworkManager. |
Multicluster Engine
Enterprise Linux (RHEL)
Jbosseapxp
And others... |
| CVE-2026-1784 | Jun 02, 2026 |
OpenShift Route Path YAML Injection Enables HAProxy Config ManipulationThe Route OpenShift resource allows to define routes to make pods reachable at a subdomain through HAProxy. It was found that the checks performed on the spec.path YAML stanza in a Route document was insufficient and could allow a controlled injection of the HAProxy configuration. |
Openshift
|
| CVE-2026-5419 | Jun 01, 2026 |
GnuTLS PKCS#7 Padding Timing SideChannel Info DisclosureA flaw was found in gnutls. The PKCS#7 padding check, performed during decryption, was not constant-time. This timing side-channel could allow a remote attacker to potentially leak sensitive information about the padding bytes through observable timing differences. This vulnerability is a form of information disclosure. |
Enterprise Linux (RHEL)
Hummingbird
Openshift
And others... |
| CVE-2026-43958 | Jun 01, 2026 |
rrdtool rrdcached Buffer Overflow via Oversized CREATEA flaw was found in rrdcached, a component of rrdtool. A local attacker with access to a rrdcached socket can exploit a stack-based buffer overflow by sending an oversized CREATE request. This vulnerability can lead to a denial of service by crashing the daemon or potentially allow for arbitrary code execution, impacting the integrity and confidentiality of data. |
Enterprise Linux (RHEL)
|
| CVE-2026-46243 | Jun 01, 2026 |
Kernel: CIFS spnego key authority fields misinterpretedIn the Linux kernel, the following vulnerability has been resolved: smb: client: reject userspace cifs.spnego descriptions cifs.spnego key descriptions contain authority-bearing fields such as pid, uid, creduid, and upcall_target that cifs.upcall treats as kernel-originating inputs. However, userspace can also create keys of this type through request_key(2) or add_key(2), allowing those fields to be supplied without CIFS origin. Only accept cifs.spnego descriptions while CIFS is using its private spnego_cred to request the key. |
|
| CVE-2026-10118 | Jun 01, 2026 |
Poppler Splash integer overflow arbitrary code execA flaw was found in Poppler's Splash backend. A remote attacker could exploit this vulnerability by crafting a malicious PDF file that, when rendered, triggers an integer overflow in the `tilingPatternFill` function. This overflow leads to an undersized heap memory allocation, allowing a subsequent out-of-bounds write. Successful exploitation could result in arbitrary code execution, information disclosure, or denial of service within the context of the application processing the PDF. |
Enterprise Linux (RHEL)
Hummingbird
|
| CVE-2026-10533 | Jun 01, 2026 |
OpenShift Container Platform ResourceQuota Pod Limit Bypass (CVE-2026-10533)A flaw was found in OpenShift Container Platform. Completed pods with restartPolicy: Never do not count toward ResourceQuota pod limits, and Kubernetes events are not quota-scoped. A non-privileged user who can create pods in a namespace can exploit this to generate a large volume of events that accumulate in etcd, causing API server performance degradation across the cluster. |
Openshift
|
| CVE-2026-10517 | Jun 01, 2026 |
Clair SSRF via fetcher; Unauthenticated attacker can SSRF to internal URIsA flaw was found in Clair. The fetcher component makes outbound HTTP requests to attacker-supplied URIs from manifest layer descriptors without IP or scheme filtering. When PSK authentication is not configured (opt-in, not enforced by default), an unauthenticated attacker can submit a manifest with a URI pointing to internal services or cloud metadata endpoints. The SSRF is reflective for non-200 responses, leaking up to 256 bytes of error body content via CheckResponse error messages. Operator-managed Red Hat Quay deployments auto-configure PSK and are not exposed to the unauthenticated attack vector. |
Quay
|
| CVE-2026-10101 | May 29, 2026 |
RBAC Bypass: Assisted-Service Exposes Pull-Secret via InfraEnv.statusACM/MCE assisted-service writes raw referenced pull-secret contents into `InfraEnv.status.conditions[].message` when pull-secret validation fails. A namespace principal with the stock `view` ClusterRole cannot directly read Secrets, but can read `InfraEnv` objects and recover the referenced Secret's `.dockerconfigjson` data from status. This bypasses the Kubernetes/OpenShift RBAC separation between read-only namespace viewers and Secret readers. In the reproduced proof, the same ServiceAccount was denied `get` and `list` on Secrets, but recovered synthetic pull-secret `username`, `password`, `email`, and base64 `auth` fields through `InfraEnv.status`. |
Multicluster Engine
|
| CVE-2026-46579 | May 29, 2026 |
OpenShift Router X-SSL-Client-* Header Bypass via insecureEdgeTerminationPolicyA flaw was found in the OpenShift Router. When a Route has `insecureEdgeTerminationPolicy` set to Allow, the HTTP frontend does not remove `X-SSL-Client-*` headers from incoming requests. This allows an unauthenticated attacker to send plain HTTP requests with crafted `X-SSL-Client-*` headers. As a result, backends relying on these headers for mutual TLS (Transport Layer Security) authentication can be bypassed, enabling the attacker to impersonate client certificate identities. |
Openshift
|
| CVE-2026-42965 | May 29, 2026 |
OpenShift Router allows metadata exfil via EndpointSlice FQDN proxyA flaw was found in the OpenShift Router. A user with EndpointSlice write access can exploit this vulnerability by creating a Service backed by an FQDN (Fully Qualified Domain Name) EndpointSlice that resolves to a cloud metadata endpoint. This allows the router to proxy requests to the cloud metadata endpoint, leading to the disclosure of instance credentials and other sensitive metadata. This bypasses previous security measures for validating IP addresses. |
Openshift
|
| CVE-2026-10078 | May 29, 2026 |
Quay OAuth validator leaks client_id & client_secret in URL queryA flaw was found in the Quay config-tool's GitLab OAuth validator. This vulnerability causes sensitive credentials, specifically client_id and client_secret, to be transmitted as plaintext in URL query parameters during POST requests to the GitLab endpoint. This insecure transmission can lead to the disclosure of these credentials in various system logs, such as server access logs, reverse proxy logs, and other monitoring systems. An attacker with access to these logs could potentially obtain these credentials, leading to unauthorized information disclosure. |
Quay
|
| CVE-2026-10052 | May 29, 2026 |
Quay Config-Tool LDAP/SMTP Validation Bypass Enables Internal ReconnaissanceA flaw was found in the Quay config-tool's LDAP and SMTP validation functions. An attacker with config editor access can exploit these functions, which make outbound connections to user-supplied endpoints without proper IP or host filtering. This allows the attacker to perform internal network reconnaissance from the Quay pod's network position, potentially mapping the internal network infrastructure. |
Quay
|
| CVE-2026-6324 | May 29, 2026 |
libsoup Signed-to-Unsigned Conversion Out-of-Bounds in HTTP Stream RCEA flaw was found in libsoup. A remote attacker could exploit an unsigned to signed conversion error in the `soup_body_input_stream_read_chunked()` function by sending a malicious HTTP request. This vulnerability occurs when libsoup operates behind a non-libsoup proxy server or as a proxy in front of a non-libsoup backend server. Successful exploitation can allow an attacker to bypass security controls, poison web caches, or gain unauthorized access. |
Enterprise Linux (RHEL)
|
| CVE-2026-10028 | May 28, 2026 |
Glib-Networking GnuTLS Cert Verification Infinite Loop DoSA flaw was found in glib-networking. A remote attacker can exploit this vulnerability by presenting a specially crafted certificate chain to an application that uses glib-networking with the GnuTLS backend enabled and performs certificate verification. This crafted chain, which contains circular issuer relationships, can cause an infinite loop during certificate verification. The unbounded traversal consumes excessive CPU resources, leading to a denial of service for the affected process or worker. |
Enterprise Linux (RHEL)
|
| CVE-2026-9804 | May 28, 2026 |
KubeVirt virt-exportserver Path Traversal VulnerabilityA flaw was found in KubeVirt's virt-exportserver component. An attacker with specific namespace-level access can exploit a path traversal vulnerability in the VMExport directory endpoint. By placing a symbolic link (symlink) within an exported filesystem Persistent Volume Claim (PVC) that points outside its designated mount root, the attacker can read arbitrary files from the exporter pod's filesystem. This leads to information disclosure, potentially exposing sensitive data. |
Container Native Virtualization
|
| CVE-2026-4408 | May 28, 2026 |
Samba Remote Cmd Exec via Unsanitized %u in check password scriptA flaw was found in Samba. A remote attacker can exploit a misconfiguration in Samba file servers and classic domain controllers that use the "check password script" feature. If this script is configured with the %u substitution character, the client-controlled username is passed without proper escaping of shell meta-characters. This vulnerability allows an attacker to achieve remote command execution on the affected system. This issue primarily affects non-standard configurations where the "check password script" is used with %u and the samba-dcerpcd service is started as a system service. |
Enterprise Linux (RHEL)
Openshift
|
| CVE-2026-44604 | May 28, 2026 |
CVE-2026-44604: rpmuncompress Command Injection W/O SanitizationA command injection vulnerability was discovered in the `rpmuncompress` utility of RPM. When extracting certain archive formats (ZIP, 7z, GEM) to a specified destination directory, the tool inserts the archive's top-level folder name into a shell command without properly sanitizing it. A specially crafted archive containing shell metacharacters in its folder name can execute arbitrary commands as the user running the extraction. |
Pdrive Lightspeed
Quarkus
Enterprise Linux (RHEL)
And others... |
| CVE-2026-9803 | May 28, 2026 |
Keycloak ClientRegistrationAuth DoS via malformed Bearer headerA flaw was found in Keycloak's ClientRegistrationAuth component. A remote unauthenticated attacker can exploit this vulnerability by sending a specially crafted POST request with a malformed 'Authorization: Bearer' header to any client registration endpoint. This can lead to an ArrayIndexOutOfBoundsException, causing the server to return an HTTP 500 error and resulting in a Denial of Service (DoS) for the affected service. |
Build Keycloak
|
| CVE-2026-9802 | May 28, 2026 |
Keycloak token replay after revocation via server restartA flaw was found in Keycloak. When revokeRefreshToken=true is enabled and persistent session storage is in use, a server restart can reset internal timing mechanisms. This allows a remote attacker, who has previously captured a user's refresh token, to replay that token even after it has been revoked. Successful exploitation grants the attacker unauthorized access to the victim's account, potentially leading to information disclosure or privilege escalation. |
Build Keycloak
|
| CVE-2026-9801 | May 28, 2026 |
Keycloak LDAP Password Policy DoS via OutOfMemoryErrorA flaw was found in Keycloak. A remote attacker with high privileges, such as a realm administrator configuring a malicious Lightweight Directory Access Protocol (LDAP) server or an attacker compromising an upstream LDAP server, could exploit this vulnerability. By sending a malformed LDAP password policy response during a password authentication request, the attacker can trigger an OutOfMemoryError. This causes the Keycloak Java Virtual Machine (JVM) to terminate, leading to a denial of service (DoS) for all realms on the affected node. |
Build Keycloak
|
| CVE-2026-9798 | May 28, 2026 |
Keycloak CIBA flow bypass for account lock via brute-forceA flaw was found in Keycloak, an open-source identity and access management solution. When a user account is temporarily locked due to repeated failed login attempts, an attacker with valid client credentials can exploit the Client-Initiated Backchannel Authentication (CIBA) flow to bypass this brute-force protection. This allows continued authentication attempts and token issuance even when the account should be locked, potentially enabling further unauthorized access attempts. |
Build Keycloak
|
| CVE-2026-9796 | May 28, 2026 |
Keycloak TOCTOU Privilege Escalation via Role Check ExploitA flaw was found in Keycloak. An authenticated administrator with the `manage-clients` role can exploit a Time-of-check to time-of-use (TOCTOU) vulnerability in the name-based admin role checks. This allows the attacker to escalate their privileges to `realm-admin` for all users within the realm, granting them extensive control over the system. The composite role relationship persists even after the attacker's own permissions are revoked and across system reboots. |
Build Keycloak
|
| CVE-2026-9795 | May 28, 2026 |
Keycloak FGAPv2 Role Assignment Bypass Exploits Admin PermissionsA flaw was found in Keycloak's Fine-Grained Admin Permissions (FGAPv2) feature. An administrator with limited client management permissions can exploit this vulnerability to assign any realm role, including highly privileged roles, to a client's scope mapping. This bypasses intended security controls, allowing the injected role to be projected into a user's authentication token when they access the modified client. This could lead to unauthorized privilege escalation within the Keycloak realm. |
Build Keycloak
|
| CVE-2026-9794 | May 28, 2026 |
Keycloak SAML ECP Info Disclosure via SOAP XML Fault StringsA flaw was found in Keycloak. A remote, unauthenticated attacker can exploit this vulnerability by sending specially crafted SOAP requests to the SAML ECP (Security Assertion Markup Language Enhanced Client or Proxy) endpoint with varying client IDs. By observing distinct faultstrings in the responses, the attacker can determine the client's protocol type, leading to information disclosure. |
Build Keycloak
|
| CVE-2026-9792 | May 28, 2026 |
Keycloak Client Policy Bypass Enables Unauth ROPC GrantA flaw was found in Keycloak's Client Policies, specifically within the `org.keycloak.protocol.oidc` component. When certain condition providers (client-type, client-roles, client-attributes, client-scopes) are used to enforce security restrictions, the `reject-ropc-grant` executor is silently bypassed. This allows an unauthenticated remote attacker to obtain tokens via a Resource Owner Password Credentials (ROPC) grant, even when a policy is explicitly configured to block it. This bypass can lead to unauthorized access and information disclosure. |
Build Keycloak
|
| CVE-2026-9793 | May 28, 2026 |
Keycloak JWE Decryption Bypass Allows Unauthorized OIDC Claims via Signature OversightA flaw was found in Keycloak. When a JSON Web Encryption (JWE) encrypted request object is submitted, Keycloak may incorrectly process unsigned claims if the decrypted content is raw JSON, bypassing the configured signature policy. This allows a remote attacker to submit unauthorized claims, leading to a compromise of data integrity within the OpenID Connect (OIDC) authorization flow. While a redirect URI allowlist acts as a compensating control, this vulnerability violates OIDC Core and Financial-grade API (FAPI) signing requirements. |
Build Keycloak
|
| CVE-2026-9791 | May 28, 2026 |
Keycloak OIDC Org Metadata Leak via Authz BypassA flaw was found in Keycloak. An authenticated user with existing organization membership can exploit this flaw by accessing user-facing APIs, such as the account API or by requesting an OpenID Connect (OIDC) token with the 'organization' scope. This allows organization metadata to be disclosed in tokens, even after an administrator has explicitly disabled the Organizations feature, potentially leading to incorrect authorization decisions by resource servers. |
Build Keycloak
|
| CVE-2026-9704 | May 27, 2026 |
Keycloak TokenEndpoint JWT Length Bypass Escalates PrivilegesA flaw was found in Keycloak. An authenticated user with low privileges can exploit this vulnerability by sending an oversized subject_token JSON Web Token (JWT) to the TokenEndpoint. When the token exceeds a 4000-character limit, it is silently dropped, causing the system to fall back to client credentials. This allows the user to gain the permissions of the client's service account, leading to privilege escalation. |
Build Keycloak
|
| CVE-2026-1933 | May 27, 2026 |
Samba NTFS Reparse Points Access Control Bypass via SMBA flaw was found in Sambas handling of NTFS-style reparse points on shares configured with read only = yes. Due to missing SMB-layer access checks, authenticated users with underlying filesystem write permissions may create or delete reparse point metadata through SMB operations even on read-only exports. This could allow modification of SMB-visible file behavior, including converting files into symbolic links or other reparse point types. |
Enterprise Linux (RHEL)
Openshift
|
| CVE-2026-2340 | May 27, 2026 |
Sambas vfs_worm Rename Bypass Enables Overwrite of WORM FilesA flaw was found in Sambas vfs_worm module. The module is intended to provide write-once, read-many (WORM) protections by preventing modification of files after a configurable grace period. Due to insufficient validation during rename operations, an authenticated user with write access to a share could overwrite a protected file by renaming a newly created file over the existing WORM-protected file. |
Enterprise Linux (RHEL)
Openshift
|
| CVE-2026-9689 | May 27, 2026 |
Keycloak HTTP Parameter Pollution via Broad Redirect URIsA flaw was found in Keycloak, an open-source identity and access management solution. When a client application is configured to accept broad redirect Uniform Resource Identifiers (URIs), a remote attacker can manipulate the authentication process by crafting a special web address. If a user clicks this link, the client application might incorrectly prioritize attacker-controlled information over legitimate data. This vulnerability, known as HTTP parameter pollution, could allow an attacker to bypass security measures or gain unauthorized access to resources. |
Build Keycloak
|
| CVE-2026-3012 | May 27, 2026 |
Samba CA AutoEnroll HTTP Trust Misinstall (CVE-2026-3012)A flaw was found in Sambas certificate auto-enrollment Group Policy handling. When certificate auto-enrollment is enabled, Samba may retrieve a CA certificate over an unencrypted HTTP connection and install it into the local trust store without proper verification. An attacker with the ability to intercept or redirect network traffic could exploit this behavior to supply a malicious certificate authority certificate, potentially allowing interception or spoofing of trusted communications. |
Enterprise Linux (RHEL)
Openshift
|
| CVE-2026-48710 | May 26, 2026 |
Host Header Validation Bypass in Starlette <1.0.1 Leading to Routing BypassStarlette is a lightweight ASGI framework/toolkit. Prior to version 1.0.1, the HTTP `Host` request header was not validated before being used to reconstruct `request.url`. Because the routing algorithm relies on the raw HTTP path while `request.url` is rebuilt from the `Host` header, a malformed header could make `request.url.path` differ from the path that was actually requested. Middleware and endpoints that apply security restrictions based on `request.url` (rather than the raw `scope` path) could therefore be bypassed. Users should upgrade to a version greater than or equal to version 1.0.1, which validates the `Host` header against the grammar of RFC 9112 §3.2 / RFC 3986 §3.2.2 when constructing `request.url` and falls back to `scope["server"]` for malformed values. |
|
| CVE-2026-42013 | May 26, 2026 |
GnuTLS SAN Size ForkCheck BypassA flaw was found in gnutls. When validating certificates, an oversized Subject Alternative Name (SAN) could cause the validation process to incorrectly fall back to checking the Common Name (CN) field. This could allow a remote attacker to bypass proper certificate validation, potentially leading to spoofing or man-in-the-middle attacks. |
Enterprise Linux (RHEL)
Hummingbird
Openshift
And others... |
| CVE-2026-42015 | May 26, 2026 |
GnuTLS PKCS#12 Bag Off-by-One Buffer OverwriteA flaw was found in gnutls. An off-by-one error exists in the PKCS#12 bag element bounds check. This vulnerability allows an remote attacker to write past the internal array of a PKCS#12 bag when appending to a bag that already contains 32 elements. This memory corruption could lead to a denial of service (DoS) or potentially other unspecified impacts. |
Enterprise Linux (RHEL)
Hummingbird
Openshift
And others... |