Red Hat Build Keycloak

Keycloak Docker v2 Auth: Tokens Issued Post-Disable (CVE-2026-2733)
CVE-2026-2733 3.8 - Low - February 19, 2026

A flaw was identified in the Docker v2 authentication endpoint of Keycloak, where tokens continue to be issued even after a Docker registry client has been administratively disabled. This means that turning the client Enabled setting to OFF does not fully prevent access. As a result, previously valid credentials can still be used to obtain authentication tokens. This weakens administrative controls and could allow unintended access to container registry resources.

AuthZ

Verbose Logging Exposes Auth & Cookie Headers in Keycloak
CVE-2025-11537 5 - Medium - February 10, 2026

A flaw was found in Keycloak. When the logging format is configured to a verbose, user-supplied pattern (such as the pre-defined 'long' pattern), sensitive headers including Authorization and Cookie are disclosed to the logs in cleartext. An attacker with read access to the log files can extract these credentials (e.g., bearer tokens, session cookies) and use them to impersonate users, leading to a full account compromise.

Improper Output Neutralization for Logs

Keycloak UMA Policy Bypass via Owner Check Leak
CVE-2025-14778 5.4 - Medium - February 09, 2026

A flaw was found in Keycloak. A significant Broken Access Control vulnerability exists in the UserManagedPermissionService (UMA Protection API). When updating or deleting a UMA policy associated with multiple resources, the authorization check only verifies the caller's ownership against the first resource in the policy's list. This allows a user (Owner A) who owns one resource (RA) to update a shared policy and modify authorization rules for other resources (e.g., RB) in that same policy, even if those other resources are owned by a different user (Owner B). This constitutes a horizontal privilege escalation.

Incorrect Privilege Assignment

Keycloak JWT Signature Bypass Allows Unauthorized Org Self-Registration
CVE-2026-1529 8.1 - High - February 09, 2026

A flaw was found in Keycloak. An attacker can exploit this vulnerability by modifying the organization ID and target email within a legitimate invitation token's JSON Web Token (JWT) payload. This lack of cryptographic signature verification allows the attacker to successfully self-register into an unauthorized organization, leading to unauthorized access.

Improper Verification of Cryptographic Signature

Keycloak JWT Authorization Grant Token Issued Even for Disabled IdP
CVE-2026-1486 8.8 - High - February 09, 2026

A flaw was found in Keycloak. A vulnerability exists in the jwt-authorization-grant flow where the server fails to verify if an Identity Provider (IdP) is enabled before issuing tokens. The issuer lookup mechanism (lookupIdentityProviderFromIssuer) retrieves the IdP configuration but does not filter for isEnabled=false. If an administrator disables an IdP (e.g., due to a compromise or offboarding), an entity possessing that IdP's signing key can still generate valid JWT assertions that Keycloak accepts, resulting in the issuance of valid access tokens.

Improperly Implemented Security Check for Standard

Insufficient backchannel validation in Keycloak CIBA blind SSRF
CVE-2026-1518 2.7 - Low - February 02, 2026

A flaw was found in Keycloaks CIBA feature where insufficient validation of client-configured backchannel notification endpoints could allow blind server-side requests to internal services.

SSRF

Keycloak /unmanagedAttributes Bypass Lets Admin View Sensitive Custom Attributes
CVE-2025-13881 2.7 - Low - February 02, 2026

A flaw was found in Keycloak Admin API. This vulnerability allows an administrator with limited privileges to retrieve sensitive custom attributes via the /unmanagedAttributes endpoint, bypassing User Profile visibility settings.

Incorrect Privilege Assignment

Undertow OOM via large servlet param names
CVE-2024-4027 7.5 - High - January 30, 2026

A flaw was found in Undertow. Servlets using a method that calls HttpServletRequestImpl.getParameterNames() can cause an OutOfMemoryError when the client sends a request with large parameter names. This issue can be exploited by an unauthorized user to cause a remote denial-of-service (DoS) attack.

Improper Input Validation

Keycloak SAML NotOnOrAfter Validation Bypass Enables Session Extension
CVE-2026-1190 3.1 - Low - January 26, 2026

A flaw was found in Keycloak's SAML brokering functionality. When Keycloak is configured as a client in a Security Assertion Markup Language (SAML) setup, it fails to validate the `NotOnOrAfter` timestamp within the `SubjectConfirmationData`. This allows an attacker to delay the expiration of SAML responses, potentially extending the time a response is considered valid and leading to unexpected session durations or resource consumption.

Missing XML Validation

RedHat Keycloak Admin REST API: Exposed Backend Schema via Improper Access Control
CVE-2025-14083 2.7 - Low - January 21, 2026

A flaw was found in the Keycloak Admin REST API. This vulnerability allows the exposure of backend schema and rules, potentially leading to targeted attacks or privilege escalation via improper access control.

Authorization

Keycloak Token Exchange BLP Allows Tokens to Disabled Users
CVE-2025-14559 6.5 - Medium - January 21, 2026

A flaw was found in the keycloak-services component of Keycloak. This vulnerability allows the issuance of access and refresh tokens for disabled users, leading to unauthorized use of previously revoked privileges, via a business logic vulnerability in the Token Exchange implementation when a privileged client invokes the token exchange flow.

Business Logic Errors

Keycloak Refresh Token Rotation Bypass via Atomicity Flaw
CVE-2026-1035 3.1 - Low - January 21, 2026

A flaw was found in the Keycloak server during refresh token processing, specifically in the TokenManager class responsible for enforcing refresh token reuse policies. When strict refresh token rotation is enabled, the validation and update of refresh token usage are not performed atomically. This allows concurrent refresh requests to bypass single-use enforcement and issue multiple access tokens from the same refresh token. As a result, Keycloaks refresh token rotation hardening can be undermined.

TOCTTOU

Keycloak OIDC DCR leaks internal via arbitrary jwks_uri
CVE-2026-1180 5.8 - Medium - January 20, 2026

A flaw was identified in Keycloaks OpenID Connect Dynamic Client Registration feature when clients authenticate using private_key_jwt. The issue allows a client to specify an arbitrary jwks_uri, which Keycloak then retrieves without validating the destination. This enables attackers to coerce the Keycloak server into making HTTP requests to internal or restricted network resources. As a result, attackers can probe internal services and cloud metadata endpoints, creating an information disclosure and reconnaissance risk.

SSRF

Keycloak URL Matrix Param Input Validation (CVE-2026-0976)
CVE-2026-0976 3.7 - Low - January 15, 2026

A flaw was found in Keycloak. This improper input validation vulnerability occurs because Keycloak accepts RFC-compliant matrix parameters in URL path segments, while common reverse proxy configurations may ignore or mishandle them. A remote attacker can craft requests to mask path segments, potentially bypassing proxy-level path filtering. This could expose administrative or sensitive endpoints that operators believe are not externally reachable.

Improper Input Validation

Keycloak Header Parser Permissive Bearer Token Validation (CVE-2026-0707)
CVE-2026-0707 5.3 - Medium - January 08, 2026

A flaw was found in Keycloak. The Keycloak Authorization header parser is overly permissive regarding the formatting of the "Bearer" authentication scheme. It accepts non-standard characters (such as tabs) as separators and tolerates case variations that deviate from RFC 6750 specifications.

Incorrect Behavior Order: Authorization Before Parsing and Canonicalization

Keycloak TLS 1.2 Renegotiation DoS (unauthenticated, CPU exhaustion)
CVE-2025-11419 7.5 - High - December 23, 2025

A flaw was found in Keycloak. This vulnerability allows an unauthenticated remote attacker to cause a denial of service (DoS) by repeatedly initiating TLS 1.2 client-initiated renegotiation requests to exhaust server CPU resources, making the service unavailable.

Allocation of Resources Without Limits or Throttling

Keycloak Admin API IDOR via ResourceSetService
CVE-2025-14777 6 - Medium - December 16, 2025

A flaw was found in Keycloak. An IDOR (Broken Access Control) vulnerability exists in the admin API endpoints for authorization resource management, specifically in ResourceSetService and PermissionTicketService. The system checks authorization against the resourceServer (client) ID provided in the API request, but the backend database lookup and modification operations (findById, delete) only use the resourceId. This mismatch allows an authenticated attacker with fine-grained admin permissions for one client (e.g., Client A) to delete or update resources belonging to another client (Client B) within the same realm by supplying a valid resource ID.

Authentication Bypass by Alternate Name

Keycloak Admin REST API Info Disclosure via /roles endpoint
CVE-2025-14082 2.7 - Low - December 10, 2025

A flaw was found in Keycloak Admin REST (Representational State Transfer) API. This vulnerability allows information disclosure of sensitive role metadata via insufficient authorization checks on the /admin/realms/{realm}/roles endpoint.

Authorization

Undertow OOM DoS via Large application/x-www-form-urlencoded
CVE-2024-3884 7.5 - High - December 03, 2025

A flaw was found in Undertow that can cause remote denial of service attacks. When the server uses the FormEncodedDataDefinition.doParse(StreamSourceChannel) method to parse large form data encoding with application/x-www-form-urlencoded, the method will cause an OutOfMemory issue. This flaw allows unauthorized users to cause a remote denial of service (DoS) attack.

Improper Input Validation

Keycloak LDAP Federation Deserialization via Malicious LDAP (CVE-2025-13467)
CVE-2025-13467 5.5 - Medium - November 25, 2025

A flaw was found in the Keycloak LDAP User Federation provider. This vulnerability allows an authenticated realm administrator to trigger deserialization of untrusted Java objects via a malicious LDAP server configuration.

Marshaling, Unmarshaling

Keycloak JDWP debug mode auto bind to 0.0.0.0 RCE
CVE-2025-11538 6.8 - Medium - November 13, 2025

A vulnerability exists in Keycloak's server distribution where enabling debug mode (--debug <port>) insecurely defaults to binding the Java Debug Wire Protocol (JDWP) port to all network interfaces (0.0.0.0). This exposes the debug port to the local network, allowing an attacker on the same network segment to attach a remote debugger and achieve remote code execution within the Keycloak Java virtual machine.

Binding to an Unrestricted IP Address

Keycloak Session ID Reuse Allows Token Hijacking
CVE-2025-12390 6 - Medium - October 28, 2025

A flaw was found in Keycloak. In Keycloak where a user can accidentally get access to another user's session if both use the same device and browser. This happens because Keycloak sometimes reuses session identifiers and doesnt clean up properly during logout when browser cookies are missing. As a result, one user may receive tokens that belong to another user.

Session Fixation

Keycloak | Relative Path Normalization flaw enabling /admin via HAProxy
CVE-2025-10939 3.7 - Low - October 28, 2025

A flaw was found in Keycloak. The Keycloak guides recommend to not expose /admin path to the outside in case the installation is using a proxy. The issue occurs at least via ha-proxy, as it can be tricked to using relative/non-normalized paths to access the /admin application path relative to /realms which is expected to be exposed.

DLL preloading

Keycloak Offline Session Persistence when Offline_Access scope removed
CVE-2025-12110 5.4 - Medium - October 23, 2025

A flaw was found in Keycloak. An offline session continues to be valid when the offline_access scope is removed from the client. The refresh token is accepted and you can continue to request new tokens for the session. As it can lead to a situation where an administrator removes the scope, and assumes that offline sessions are no longer available, but they are.

Insufficient Session Expiration

Keycloak 'Remember Me' disable ignored, extending session lifetime risk
CVE-2025-11429 5.4 - Medium - October 23, 2025

A flaw was found in Keycloak. Keycloak does not immediately enforce the disabling of the "Remember Me" realm setting on existing user sessions. Sessions created while "Remember Me" was active retain their extended session lifetime until they expire, overriding the administrator's recent security configuration change. This is a logic flaw in session management increases the potential window for successful session hijacking or unauthorized long-term access persistence. The flaw lies in the session expiration logic relying on the session-local "remember-me" flag without validating the current realm-level configuration.

Insufficient Session Expiration

Keycloak Windows Path Traversal in Vault Key Handling (CVE-2025-10043)
CVE-2025-10043 - September 05, 2025

Keycloak: Unvalidated error_description param enables XSS/Phishing
CVE-2025-10044 4.3 - Medium - September 05, 2025

A flaw was found in Keycloak. Keycloaks account console and other pages accept arbitrary text in the error_description query parameter. This text is directly rendered in error pages without validation or sanitization. While HTML encoding prevents XSS, an attacker can craft URLs with misleading messages (e.g., fake support phone numbers or URLs), which are displayed within the trusted Keycloak UI. This creates a phishing vector, potentially tricking users into contacting malicious actors.

XSS

Keycloak ModStor Service: EnvVar Injection via Realm Import
CVE-2025-9162 4.9 - Medium - August 21, 2025

A flaw was found in org.keycloak/keycloak-model-storage-service. The KeycloakRealmImport custom resource substitutes placeholders within imported realm documents, potentially referencing environment variables. This substitution process allows for injection attacks when crafted realm documents are processed. An attacker can leverage this to inject malicious content during the realm import procedure. This can lead to unintended consequences within the Keycloak environment.

Exposure of Sensitive Information Through Environmental Variables

SMTP Injection in Keycloak Services via Email Registration
CVE-2025-8419 5.3 - Medium - August 06, 2025

A vulnerability was found in Keycloak-services. Special characters used during e-mail registration may perform SMTP Injection and unexpectedly send short unwanted e-mails. The email is limited to 64 characters (limited local part of the email), so the attack is limited to very shorts emails (subject and little data, the example is 60 chars). This flaw's only direct consequence is an unsolicited email being sent from the Keycloak server. However, this action could be a precursor for more sophisticated attacks.

CRLF Injection

Keycloak FGAPv2 Priv Escalation via Manage-Users Role
CVE-2025-7784 6.5 - Medium - July 18, 2025

A flaw was found in the Keycloak identity and access management system when Fine-Grained Admin Permissions(FGAPv2) are enabled. An administrative user with the manage-users role can escalate their privileges to realm-admin due to improper privilege enforcement. This vulnerability allows unauthorized elevation of access rights, compromising the intended separation of administrative duties and posing a security risk to the realm.

Improper Privilege Management

Keycloak IdP Merge flaw enabling phishing via email hijack
CVE-2025-7365 7.1 - High - July 10, 2025

A flaw was found in Keycloak. When an authenticated attacker attempts to merge accounts with another existing account during an identity provider (IdP) login, the attacker will subsequently be prompted to "review profile" information. This vulnerability allows the attacker to modify their email address to match that of a victim's account, triggering a verification email sent to the victim's email address. The attacker's email address is not present in the verification email content, making it a potential phishing opportunity. If the victim clicks the verification link, the attacker can gain access to the victim's account.

Origin Validation Error

Keycloak /admin/serverinfo Info Disclosure via Authenticated Access
CVE-2025-5416 2.7 - Low - June 20, 2025

A vulnerability has been identified in Keycloak that could lead to unauthorized information disclosure. While it requires an already authenticated user, the /admin/serverinfo endpoint can inadvertently provide sensitive environment information.

Exposure of Sensitive System Information to an Unauthorized Control Sphere

Keycloak Cert Trust Skip via VERIFICATION POLICY=ALL
CVE-2025-3501 8.2 - High - April 29, 2025

A flaw was found in Keycloak. By setting a verification policy to 'ALL', the trust store certificate verification is skipped, which is unintended.

Improper Validation of Certificate with Host Mismatch

Keycloak org.keycloak.auth bypass of required actions (2FA)
CVE-2025-3910 5.4 - Medium - April 29, 2025

A flaw was found in Keycloak. The org.keycloak.authorization package may be vulnerable to circumventing required actions, allowing users to circumvent requirements such as setting up two-factor authentication.

authentification

Keycloak JWT Cache OOM DoS via Long Expiration Tokens
CVE-2025-2559 4.9 - Medium - March 25, 2025

A flaw was found in Keycloak. When the configuration uses JWT tokens for authentication, the tokens are cached until expiration. If a client uses JWT tokens with an excessively long expiration time, for example, 24 or 48 hours, the cache can grow indefinitely, leading to an OutOfMemoryError. This issue could result in a denial of service condition, preventing legitimate users from accessing the system.

Allocation of Resources Without Limits or Throttling

Wildfly Elytron CLI Brute Force Vulnerability
CVE-2025-23368 8.1 - High - March 04, 2025

A flaw was found in Wildfly Elytron integration. The component does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame, making it more susceptible to brute force attacks via CLI.

Improper Restriction of Excessive Authentication Attempts

Keycloak Admin XSS via Malicious Permission Payload
CVE-2024-4028 3.8 - Low - February 18, 2025

A vulnerability was found in Keycloak. This issue may allow a privileged attacker to use a malicious payload as the permission while creating items (Resource and Permissions) from the admin console, leading to a stored cross-site scripting (XSS) attack.

Improper Input Validation

Keycloak Org Mapper Misassigns Org via Username/Email Pattern (CVE-2025-1391)
CVE-2025-1391 5.4 - Medium - February 17, 2025

A flaw was found in the Keycloak organization feature, which allows the incorrect assignment of an organization to a user if their username or email matches the organizations domain pattern. This issue occurs at the mapper level, leading to misrepresentation in tokens. If an application relies on these claims for authorization, it may incorrectly assume a user belongs to an organization they are not a member of, potentially granting unauthorized access or privileges.

Authorization

Wildfly RBAC flaw enables unauthorized suspend/resume of server
CVE-2025-23367 6.5 - Medium - January 30, 2025

A flaw was found in the Wildfly Server Role Based Access Control (RBAC) provider. When authorization to control management operations is secured using the Role Based Access Control provider, a user without the required privileges can suspend or resume the server. A user with a Monitor or Auditor role is supposed to have only read access permissions and should not be able to suspend the server. The vulnerability is caused by the Suspend and Resume handlers not performing authorization checks to validate whether the current user has the required permissions to proceed with the action.

Authorization

Keycloak Auth Bypass via AD Password Reset
CVE-2025-0604 5.4 - Medium - January 22, 2025

A flaw was found in Keycloak. When an Active Directory user resets their password, the system updates it without performing an LDAP bind to validate the new credentials against AD. This vulnerability allows users whose AD accounts are expired or disabled to regain access in Keycloak, bypassing AD restrictions. The issue enables authentication bypass and could allow unauthorized access under certain conditions.

authentification

Keycloak URL Placeholder Abuse Exposes Server Env Vars
CVE-2024-11736 4.9 - Medium - January 14, 2025

A vulnerability was found in Keycloak. Admin users may have to access sensitive server environment variables and system properties through user-configurable URLs. When configuring backchannel logout URLs or admin URLs, admin users can include placeholders like ${env.VARNAME} or ${PROPNAME}. The server replaces these placeholders with the actual values of environment variables or system properties during URL processing.

Exposure of Sensitive Information Through Environmental Variables

Keycloak Denial of Service via Header Manipulation by Admin
CVE-2024-11734 6.5 - Medium - January 14, 2025

A denial of service vulnerability was found in Keycloak that could allow an administrative user with the right to change realm settings to disrupt the service. This action is done by modifying any of the security headers and inserting newlines, which causes the Keycloak server to write to a request that has already been terminated, leading to the failure of said request.

Protection Mechanism Failure

Keycloak: Sensitive Information Disclosure in JGroups Replication Configuration
CVE-2024-10973 5.7 - Medium - December 17, 2024

A vulnerability was found in Keycloak. The environment option `KC_CACHE_EMBEDDED_MTLS_ENABLED` does not work and the JGroups replication configuration is always used in plain text which can allow an attacker that has access to adjacent networks related to JGroups to read sensitive information.

Cleartext Transmission of Sensitive Information

Quarkus-HTTP Cookie Parsing Vulnerability
CVE-2024-12397 7.4 - High - December 12, 2024

A flaw was found in Quarkus-HTTP, which incorrectly parses cookies with certain value-delimiting characters in incoming requests. This issue could allow an attacker to construct a cookie value to exfiltrate HttpOnly cookie values or spoof arbitrary additional cookie values, leading to unauthorized data access or modification. The main threat from this flaw impacts data confidentiality and integrity.

HTTP Request Smuggling

OIDC-Client Authorization Code Injection Vulnerability
CVE-2024-12369 4.2 - Medium - December 09, 2024

A vulnerability was found in OIDC-Client. When using the RH SSO OIDC adapter with EAP 7.x or when using the elytron-oidc-client subsystem with EAP 8.x, authorization code injection attacks can occur, allowing an attacker to inject a stolen authorization code into the attacker's own session with the client with a victim's identity. This is usually done with a Man-in-the-Middle (MitM) or phishing attack.

Insufficient Verification of Data Authenticity

Keycloak Server: Denial of Service via Improper Proxy Header Validation
CVE-2024-9666 4.7 - Medium - November 25, 2024

A vulnerability was found in the Keycloak Server. The Keycloak Server is vulnerable to a denial of service (DoS) attack due to improper handling of proxy headers. When Keycloak is configured to accept incoming proxy headers, it may accept non-IP values, such as obfuscated identifiers, without proper validation. This issue can lead to costly DNS resolution operations, which an attacker could exploit to tie up IO threads and potentially cause a denial of service. The attacker must have access to send requests to a Keycloak instance that is configured to accept proxy headers, specifically when reverse proxies do not overwrite incoming headers, and Keycloak is configured to trust these headers.

HTTP Request Smuggling

Keycloak Privilege Escalation via Vault File Access
CVE-2024-10492 - November 25, 2024

A vulnerability was found in Keycloak. A user with high privileges could read sensitive information from a Vault file that is not within the expected context. This attacker must have previous high access to the Keycloak server in order to perform resource creation, for example, an LDAP provider configuration and set up a Vault read file, which will only inform whether that file exists or not.

External Control of File Name or Path

Keycloak-services: Denial of Service via Regex Complexity in SearchQueryUtils
CVE-2024-10270 6.5 - Medium - November 25, 2024

A vulnerability was found in the Keycloak-services package. If untrusted data is passed to the SearchQueryUtils method, it could lead to a denial of service (DoS) scenario by exhausting system resources due to a Regex complexity.

ReDoS

Keycloak Information Disclosure Vulnerability in Build Process
CVE-2024-10451 5.9 - Medium - November 25, 2024

A flaw was found in Keycloak. This issue occurs because sensitive runtime values, such as passwords, may be captured during the Keycloak build process and embedded as default values in bytecode, leading to unintended information disclosure. In Keycloak 26, sensitive data specified directly in environment variables during the build process is also stored as a default values, making it accessible during runtime. Indirect usage of environment variables for SPI options and Quarkus properties is also vulnerable due to unconditional expansion by PropertyMapper logic, capturing sensitive data as default values in all Keycloak versions up to 26.0.2.

Use of Hard-coded Credentials

XSS in WildFly Deployment System Enables RCE
CVE-2024-10234 6.1 - Medium - October 22, 2024

A vulnerability was found in Wildfly, where a user may perform Cross-site scripting in the Wildfly deployment system. This flaw allows an attacker or insider to execute a deployment with a malicious payload, which could trigger undesired behavior against the server.

XSS