Red Hat Build Keycloak
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Red Hat Build Keycloak.
By the Year
In 2026 there have been 66 vulnerabilities in Red Hat Build Keycloak with an average score of 5.6 out of ten. Last year, in 2025 Build Keycloak had 27 security vulnerabilities published. That is, 39 more vulnerabilities have already been reported in 2026 as compared to last year. Last year, the average CVE base score was greater by 0.06
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 66 | 5.58 |
| 2025 | 27 | 5.63 |
| 2024 | 38 | 6.24 |
| 2023 | 3 | 5.63 |
It may take a day or so for new Build Keycloak vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Red Hat Build Keycloak Security Vulnerabilities
Privilege Escalation in Keycloak admin-ui-ext Bulk Role-Removal
CVE-2026-11986
4.9 - Medium
- June 11, 2026
A flaw was found in the admin-ui-ext component of Keycloak, which provides extended administrative user interface capabilities. The issue occurs because certain bulk role-removal endpoints fail to perform granular permission checks when deleting role mappings. This allows a delegated administrator with limited permissions to remove highly privileged roles from other users or groups, potentially disrupting administrative access control.
forced browsing
Keycloak PartialImport FGAP Escalation via Admin Import
CVE-2026-11577
7.2 - High
- June 08, 2026
A flaw was found in Keycloak. A limited administrator can exploit an improper access control vulnerability in the POST /admin/realms/{realm}/partialImport endpoint. This allows them to bypass Fine-Grained Admin Permissions (FGAP) and escalate their privileges to a full realm administrator by importing users with realm-admin role mappings.
AuthZ
Keycloak group-member endpoint bypass leads to info disclosure (CVE20269088)
CVE-2026-9088
2.7 - Low
- June 05, 2026
A flaw was found in org.keycloak.services. An administrator with delegated access to read group memberships and users can bypass user profile permissions by accessing the group members endpoint. This allows the administrator to view user attributes that are explicitly configured to be denied, leading to information disclosure.
Insufficient Granularity of Access Control
Keycloak ClientRegistrationAuth DoS via malformed Bearer header
CVE-2026-9803
5.3 - Medium
- May 28, 2026
A flaw was found in Keycloak's ClientRegistrationAuth component. A remote unauthenticated attacker can exploit this vulnerability by sending a specially crafted POST request with a malformed 'Authorization: Bearer' header to any client registration endpoint. This can lead to an ArrayIndexOutOfBoundsException, causing the server to return an HTTP 500 error and resulting in a Denial of Service (DoS) for the affected service.
Out-of-bounds Read
Keycloak token replay after revocation via server restart
CVE-2026-9802
6.8 - Medium
- May 28, 2026
A flaw was found in Keycloak. When revokeRefreshToken=true is enabled and persistent session storage is in use, a server restart can reset internal timing mechanisms. This allows a remote attacker, who has previously captured a user's refresh token, to replay that token even after it has been revoked. Successful exploitation grants the attacker unauthorized access to the victim's account, potentially leading to information disclosure or privilege escalation.
Insufficient Session Expiration
Keycloak LDAP Password Policy DoS via OutOfMemoryError
CVE-2026-9801
4.9 - Medium
- May 28, 2026
A flaw was found in Keycloak. A remote attacker with high privileges, such as a realm administrator configuring a malicious Lightweight Directory Access Protocol (LDAP) server or an attacker compromising an upstream LDAP server, could exploit this vulnerability. By sending a malformed LDAP password policy response during a password authentication request, the attacker can trigger an OutOfMemoryError. This causes the Keycloak Java Virtual Machine (JVM) to terminate, leading to a denial of service (DoS) for all realms on the affected node.
Improper Validation of Specified Quantity in Input
Keycloak CIBA flow bypass for account lock via brute-force
CVE-2026-9798
4.3 - Medium
- May 28, 2026
A flaw was found in Keycloak, an open-source identity and access management solution. When a user account is temporarily locked due to repeated failed login attempts, an attacker with valid client credentials can exploit the Client-Initiated Backchannel Authentication (CIBA) flow to bypass this brute-force protection. This allows continued authentication attempts and token issuance even when the account should be locked, potentially enabling further unauthorized access attempts.
Authentication Bypass by Primary Weakness
Keycloak TOCTOU Privilege Escalation via Role Check Exploit
CVE-2026-9796
6.5 - Medium
- May 28, 2026
A flaw was found in Keycloak. An authenticated administrator with the `manage-clients` role can exploit a Time-of-check to time-of-use (TOCTOU) vulnerability in the name-based admin role checks. This allows the attacker to escalate their privileges to `realm-admin` for all users within the realm, granting them extensive control over the system. The composite role relationship persists even after the attacker's own permissions are revoked and across system reboots.
TOCTTOU
Keycloak FGAPv2 Role Assignment Bypass Exploits Admin Permissions
CVE-2026-9795
7.3 - High
- May 28, 2026
A flaw was found in Keycloak's Fine-Grained Admin Permissions (FGAPv2) feature. An administrator with limited client management permissions can exploit this vulnerability to assign any realm role, including highly privileged roles, to a client's scope mapping. This bypasses intended security controls, allowing the injected role to be projected into a user's authentication token when they access the modified client. This could lead to unauthorized privilege escalation within the Keycloak realm.
Incorrect Privilege Assignment
Keycloak SAML ECP Info Disclosure via SOAP XML Fault Strings
CVE-2026-9794
5.3 - Medium
- May 28, 2026
A flaw was found in Keycloak. A remote, unauthenticated attacker can exploit this vulnerability by sending specially crafted SOAP requests to the SAML ECP (Security Assertion Markup Language Enhanced Client or Proxy) endpoint with varying client IDs. By observing distinct faultstrings in the responses, the attacker can determine the client's protocol type, leading to information disclosure.
Generation of Error Message Containing Sensitive Information
Keycloak Client Policy Bypass Enables Unauth ROPC Grant
CVE-2026-9792
6.5 - Medium
- May 28, 2026
A flaw was found in Keycloak's Client Policies, specifically within the `org.keycloak.protocol.oidc` component. When certain condition providers (client-type, client-roles, client-attributes, client-scopes) are used to enforce security restrictions, the `reject-ropc-grant` executor is silently bypassed. This allows an unauthenticated remote attacker to obtain tokens via a Resource Owner Password Credentials (ROPC) grant, even when a policy is explicitly configured to block it. This bypass can lead to unauthorized access and information disclosure.
Improper Handling of Insufficient Permissions or Privileges
Keycloak JWE Decryption Bypass Allows Unauthorized OIDC Claims via Signature Oversight
CVE-2026-9793
5.9 - Medium
- May 28, 2026
A flaw was found in Keycloak. When a JSON Web Encryption (JWE) encrypted request object is submitted, Keycloak may incorrectly process unsigned claims if the decrypted content is raw JSON, bypassing the configured signature policy. This allows a remote attacker to submit unauthorized claims, leading to a compromise of data integrity within the OpenID Connect (OIDC) authorization flow. While a redirect URI allowlist acts as a compensating control, this vulnerability violates OIDC Core and Financial-grade API (FAPI) signing requirements.
Improper Verification of Cryptographic Signature
Keycloak OIDC Org Metadata Leak via Authz Bypass
CVE-2026-9791
4.3 - Medium
- May 28, 2026
A flaw was found in Keycloak. An authenticated user with existing organization membership can exploit this flaw by accessing user-facing APIs, such as the account API or by requesting an OpenID Connect (OIDC) token with the 'organization' scope. This allows organization metadata to be disclosed in tokens, even after an administrator has explicitly disabled the Organizations feature, potentially leading to incorrect authorization decisions by resource servers.
AuthZ
Keycloak TokenEndpoint JWT Length Bypass Escalates Privileges
CVE-2026-9704
6.8 - Medium
- May 27, 2026
A flaw was found in Keycloak. An authenticated user with low privileges can exploit this vulnerability by sending an oversized subject_token JSON Web Token (JWT) to the TokenEndpoint. When the token exceeds a 4000-character limit, it is silently dropped, causing the system to fall back to client credentials. This allows the user to gain the permissions of the client's service account, leading to privilege escalation.
Improper Validation of Specified Quantity in Input
Keycloak HTTP Parameter Pollution via Broad Redirect URIs
CVE-2026-9689
4.2 - Medium
- May 27, 2026
A flaw was found in Keycloak, an open-source identity and access management solution. When a client application is configured to accept broad redirect Uniform Resource Identifiers (URIs), a remote attacker can manipulate the authentication process by crafting a special web address. If a user clicks this link, the client application might incorrectly prioritize attacker-controlled information over legitimate data. This vulnerability, known as HTTP parameter pollution, could allow an attacker to bypass security measures or gain unauthorized access to resources.
Improper Validation of Consistency within Input
Keycloak Cross-Session Verification Key Allows Upstream IdP Account Consuming
CVE-2026-9087
6.4 - Medium
- May 20, 2026
A flaw was found in Keycloak. The cross-session verification proof is keyed only by (local userId, idpAlias) and is not bound to the upstream identity that was actually verified, so a second upstream account on the same IdP can consume it and get linked to the victim's local account.
Insecure Direct Object Reference / IDOR
Keycloak OIDC implicit flow bypass & token leakage
CVE-2026-7571
7.1 - High
- May 19, 2026
A flaw was found in Keycloak. A low-privilege user, with knowledge of user credentials and client ID, can bypass a security control intended to disable the implicit flow in OpenID Connect (OIDC) clients. By manipulating client data during a session restart, an attacker can obtain an access token that should not be available. This vulnerability can also lead to the exposure of these access tokens in server logs, proxy logs, and HTTP Referrer headers, resulting in sensitive information disclosure.
Assumed-Immutable Parameter Tampering
Session Fixation in Keycloak /login-actions restart endpoint (SSO takeover)
CVE-2026-7507
7.5 - High
- May 19, 2026
A session fixation vulnerability was found in Keycloak's login-actions endpoints. An unauthenticated attacker could exploit this flaw by pre-creating an authentication session and tricking a victim into visiting a maliciously crafted link. By leveraging the /login-actions/restart endpointwhich processes session handles without adequate CSRF protection or cookie ownership validationan attacker can reset the authentication flow state. This causes Single Sign-On (SSO) to authenticate the victim transparently upon clicking the link, allowing the attacker to hijack the required-action form without needing the victim's credentials. A successful exploit could lead to complete account takeover, including highly privileged administrative accounts.
Authentication Bypass by Spoofing
Keycloak Wildcard Redirect URI Validation Bypass (CVE-2026-7504)
CVE-2026-7504
8.1 - High
- May 19, 2026
A flaw was found in Keycloak's URL validation logic during redirect operations. By crafting a malicious request, an attacker could bypass validation to redirect users to unauthorized URLs, potentially leading to the exposure of sensitive information within the domain or facilitating further attacks. This vulnerability specifically affects Keycloak clients configured with a wildcard (*) in the "Valid Redirect URIs" field and requires user interaction to be successfully exploited. The issue stems from a discrepancy in how Keycloak and the underlying Java URI implementation handle the user-info component of a URL. If a malicious redirect URL is constructed using multiple @ characters in the user-info section, Java's URI parser fails to extract the user-info, leaving only the raw authority field. Consequently, Keycloak's validation check fails to detect the malformed user-info, falls back to a wildcard comparison, and incorrectly permits the malicious redirect.
Open Redirect
Keycloak WebAuthn Replay of ExecuteActionsActionToken
CVE-2026-37982
6.8 - Medium
- May 19, 2026
A flaw was found in Keycloak. This authentication vulnerability allows a remote attacker to replay `ExecuteActionsActionToken` tokens within Keycloak's WebAuthn (Web Authentication) flow. By intercepting an execute-actions email link, an attacker can register their own authenticator to a victim's account. This leads to unauthorized enrollment of a hardware-backed credential, enabling persistent account takeover.
Authentication Bypass by Capture-replay
Keycloak OIDC Introspection Audience Bypass Vulnerability
CVE-2026-37979
6.5 - Medium
- May 19, 2026
A flaw was found in Keycloak. This access control vulnerability in Keycloak's OpenID Connect (OIDC) token introspection endpoint allows a confidential client to bypass audience restrictions. An attacker-controlled client with valid credentials can retrieve sensitive token claims intended for other resource servers, compromising the confidentiality of lightweight access tokens. This issue can be exploited remotely by any confidential client in the realm with valid credentials.
Authorization
Keycloak Admin API PII Leak via view-clients evaluate-scopes
CVE-2026-37978
4.9 - Medium
- May 19, 2026
A flaw was found in Keycloak. A low-privilege administrator with the 'view-clients' role can exploit this by invoking the 'evaluate-scopes' Admin API endpoints with an arbitrary user ID (userId) parameter. This vulnerability allows for cross-role personally identifiable information (PII) leakage, enabling unauthorized visibility into user identities and authorizations across the realm. Exploitation is possible remotely via network access to the Admin API.
Insecure Direct Object Reference / IDOR
Keycloak SAML XML DoS: Unauth Remote Attacker via Crafted Input
CVE-2026-7307
7.5 - High
- May 19, 2026
A flaw was found in Keycloak. A remote, unauthenticated attacker can send a specially crafted XML input to the Security Assertion Markup Language (SAML) endpoint. This malicious input can cause high CPU usage and worker thread starvation, leading to a Denial of Service (DoS) where the server becomes unavailable.
Improper Validation of Syntactic Correctness of Input
Keycloak: Broken Access Control in Account Resources Lookup Endpoint
CVE-2026-37981
4.3 - Medium
- May 19, 2026
A flaw was found in Keycloak. A broken access control vulnerability in the Account Resources user lookup endpoint allows a remote authenticated user, who owns at least one User-Managed Access (UMA) resource, to enumerate and harvest personally identifiable information (PII) for all realm users. By sending crafted requests with arbitrary usernames or email values, the endpoint returns full profile objects for unrelated users. This leads to broad profile-level information disclosure.
Insufficient Granularity of Access Control
Keycloak IDOR in Authorization Services API
CVE-2026-4630
6.8 - Medium
- May 19, 2026
A flaw was found in Keycloak. An authenticated client could exploit an Insecure Direct Object Reference (IDOR) vulnerability in the Authorization Services Protection API endpoint. By knowing or obtaining a resource's unique identifier (UUID) belonging to another Resource Server within the same realm, the client could bypass authorization checks. This allows the client to perform unauthorized GET, PUT, and DELETE operations on resources, leading to information disclosure and potential unauthorized modification or deletion of data.
Insecure Direct Object Reference / IDOR
Keycloak OIDC Introspection ignores realm-level notBefore revocation
CVE-2026-8922
5.4 - Medium
- May 19, 2026
A flaw was found in Keycloak. When both realm-level and client-level `notBefore` revocation policies are configured, Keycloak's OpenID Connect (OIDC) Introspection feature fails to properly honor the realm-level policy. This allows tokens that should have been revoked to remain active, potentially leading to unauthorized access or continued session validity. This could impact the security of systems utilizing Keycloak for identity and access management.
Incorrect Implementation of Authentication Algorithm
Keycloak WebAuthn Policy Bypass via Client JS Manipulation
CVE-2026-8830
4.3 - Medium
- May 19, 2026
A flaw was found in Keycloak. An authenticated user can bypass configured WebAuthn policies during credential registration by manipulating client-side JavaScript. This occurs because the server-side processAction() fails to validate that the newly created credential's parameters, such as public key algorithms, match the realm's configured WebAuthn policies. This could lead to the creation of credentials that do not adhere to administrative security requirements, potentially weakening the overall security posture of the system by allowing non-compliant authentication methods.
Use of Client-Side Authentication
Privilege Escalation: Keycloak Account REST API Partially Disabled
CVE-2026-7500
5.4 - Medium
- April 30, 2026
When Keycloak is started with `--features-disabled=account,account-api`, the Account REST API is only partially disabled. Five endpoints under the versioned path `/account/v1alpha1` remain fully functional including both read and write operations because they lack the `checkAccountApiEnabled()` gate that correctly blocks four other endpoints in the same REST service class. The user needs to have permissions to use the API.
forced browsing
Keycloak: Stored XSS via org.alias in Login Page (manage-realm/organizations)
CVE-2026-37980
6.9 - Medium
- April 14, 2026
A flaw was found in Keycloak, specifically in the organization selection login page. A remote attacker with `manage-realm` or `manage-organizations` administrative privileges can exploit a Stored Cross-Site Scripting (XSS) vulnerability. This flaw occurs because the `organization.alias` is placed into an inline JavaScript `onclick` handler, allowing a crafted JavaScript payload to execute in a user's browser when they view the login page. Successful exploitation enables arbitrary JavaScript execution, potentially leading to session theft, unauthorized account actions, or further attacks against users of the affected realm.
XSS
Keycloak CORS Header Injection in UMA Token Endpoint via Unsigned azp Claim
CVE-2026-37977
3.7 - Low
- April 06, 2026
A flaw was found in Keycloak. A remote attacker can exploit a Cross-Origin Resource Sharing (CORS) header injection vulnerability in Keycloak's User-Managed Access (UMA) token endpoint. This flaw occurs because the `azp` claim from a client-supplied JSON Web Token (JWT) is used to set the `Access-Control-Allow-Origin` header before the JWT signature is validated. When a specially crafted JWT with an attacker-controlled `azp` value is processed, this value is reflected as the CORS origin, even if the grant is later rejected. This can lead to the exposure of low-sensitivity information from authorization server error responses, weakening origin isolation, but only when a target client is misconfigured with `webOrigins: ["*"]`.
Origin Validation Error
Keycloak una_protection role: UMA policy bypass to access others' resources
CVE-2026-4636
8.1 - High
- April 02, 2026
A flaw was found in Keycloak. An authenticated user with the uma_protection role can bypass User-Managed Access (UMA) policy validation. This allows the attacker to include resource identifiers owned by other users in a policy creation request, even if the URL path specifies an attacker-owned resource. Consequently, the attacker gains unauthorized permissions to victim-owned resources, enabling them to obtain a Requesting Party Token (RPT) and access sensitive information or perform unauthorized actions.
Incorrect Behavior Order: Authorization Before Parsing and Canonicalization
Keycloak SingleUseObjectProvider Lacks Isolation, Enabling Token Replay
CVE-2026-4325
5.3 - Medium
- April 02, 2026
A flaw was found in Keycloak. The SingleUseObjectProvider, a global key-value store, lacks proper type and namespace isolation. This vulnerability allows an attacker to delete arbitrary single-use entries, which can enable the replay of consumed action tokens, such as password reset links. This could lead to unauthorized access or account compromise.
Separation of Privilege
Keycloak: SingleUseObjectProvider Lacks Isolation, Enabling Unauth Code Forgery
CVE-2026-4282
7.4 - High
- April 02, 2026
A flaw was found in Keycloak. The SingleUseObjectProvider, a global key-value store, lacks proper type and namespace isolation. This vulnerability allows an unauthenticated attacker to forge authorization codes. Successful exploitation can lead to the creation of admin-capable access tokens, resulting in privilege escalation.
Separation of Privilege
Keycloak OIDC Token Endpoint DoS via Excessively Long Scope Parameter
CVE-2026-4634
7.5 - High
- April 02, 2026
A flaw was found in Keycloak. An unauthenticated attacker can exploit this vulnerability by sending a specially crafted POST request with an excessively long scope parameter to the OpenID Connect (OIDC) token endpoint. This leads to high resource consumption and prolonged processing times, ultimately resulting in a Denial of Service (DoS) for the Keycloak server.
Excessive Platform Resource Consumption within a Loop
Keycloak Redirect URI Wildcard Bypass Leads to Token Theft
CVE-2026-3872
7.3 - High
- April 02, 2026
A flaw was found in Keycloak. This issue allows an attacker, who controls another path on the same web server, to bypass the allowed path in redirect Uniform Resource Identifiers (URIs) that use a wildcard. A successful attack may lead to the theft of an access token, resulting in information disclosure.
Open Redirect
Keycloak Priv Escalation via Misconfigured manage-clients as manage-permissions
CVE-2026-3121
6.5 - Medium
- March 26, 2026
A flaw was found in Keycloak. An administrator with `manage-clients` permission can exploit a misconfiguration where this permission is equivalent to `manage-permissions`. This allows the administrator to escalate privileges and gain control over roles, users, or other administrative functions within the realm. This privilege escalation can occur when admin permissions are enabled at the realm level.
Incorrect Privilege Assignment
Keycloak UMA Permission Ticket Enum - CVE-2026-3190
CVE-2026-3190
4.3 - Medium
- March 26, 2026
A flaw was found in Keycloak. The User-Managed Access (UMA) 2.0 Protection API endpoint for permission tickets fails to enforce the `uma_protection` role check. This allows any authenticated user with a token issued for a resource server client, even without the `uma_protection` role, to enumerate all permission tickets in the system. This vulnerability partial leads to information disclosure.
Improper Handling of Insufficient Permissions or Privileges
Keycloak SSRF via client_session_host in Refresh Token
CVE-2026-4874
3.1 - Low
- March 26, 2026
A flaw was found in Keycloak. An authenticated attacker can perform Server-Side Request Forgery (SSRF) by manipulating the `client_session_host` parameter during refresh token requests. This occurs when a Keycloak client is configured to use the `backchannel.logout.url` with the `application.session.host` placeholder. Successful exploitation allows the attacker to make HTTP requests from the Keycloak servers network context, potentially probing internal networks or internal APIs, leading to information disclosure.
SSRF
Keycloak ID First Login Error Message CVE-2026-4633: User Enumeration
CVE-2026-4633
3.7 - Low
- March 23, 2026
A flaw was found in Keycloak. A remote attacker can exploit differential error messages during the identity-first login flow when Organizations are enabled. This vulnerability allows an attacker to determine the existence of users, leading to information disclosure through user enumeration.
Generation of Error Message Containing Sensitive Information
Keycloak UMA resource_set Endpoint: Access Control Bypass via PUT
CVE-2026-4628
4.3 - Medium
- March 23, 2026
A flaw was found in Keycloak. An improper Access Control vulnerability in Keycloaks User-Managed Access (UMA) resource_set endpoint allows attackers with valid credentials to bypass the allowRemoteResourceManagement=false restriction. This occurs due to incomplete enforcement of access control checks on PUT operations to the resource_set endpoint. This issue enables unauthorized modification of protected resources, impacting data integrity.
Authorization
Keycloak Improper HTTP Redirect Handling leads to Info Disclosure
CVE-2026-4366
5.8 - Medium
- March 18, 2026
A flaw was identified in Keycloak, an identity and access management solution, where it improperly follows HTTP redirects when processing certain client configuration requests. This behavior allows an attacker to trick the server into making unintended requests to internal or restricted resources. As a result, sensitive internal services such as cloud metadata endpoints could be accessed. This issue may lead to information disclosure and enable attackers to map internal network infrastructure.
SSRF
Keycloak DoS via max SAMLRequest over SAML Redirect Binding
CVE-2026-2575
5.3 - Medium
- March 18, 2026
A flaw was found in Keycloak. An unauthenticated remote attacker can trigger an application level Denial of Service (DoS) by sending a highly compressed SAMLRequest through the SAML Redirect Binding. The server fails to enforce size limits during DEFLATE decompression, leading to an OutOfMemoryError (OOM) and subsequent process termination. This vulnerability allows an attacker to disrupt the availability of the service.
Data Amplification
Keycloak SAML Endpoint Bypass via Crafted IdP Response
CVE-2026-2603
8.1 - High
- March 18, 2026
A flaw was found in Keycloak. A remote attacker could bypass security controls by sending a valid SAML response from an external Identity Provider (IdP) to the Keycloak SAML endpoint for IdP-initiated broker logins. This allows the attacker to complete broker logins even when the SAML Identity Provider is disabled, leading to unauthorized authentication.
Missing Authentication for Critical Function
Keycloak SAML Broker Unvalidated Encrypted Assertion Attack
CVE-2026-2092
7.7 - High
- March 18, 2026
A flaw was found in Keycloak. Keycloak's Security Assertion Markup Language (SAML) broker endpoint does not properly validate encrypted assertions when the overall SAML response is not signed. An attacker with a valid signed SAML assertion can exploit this by crafting a malicious SAML response. This allows the attacker to inject an encrypted assertion for an arbitrary principal, leading to unauthorized access and potential information disclosure.
Improper Validation of Specified Type of Input
Keycloak Admin API Auth Bypass: Org Membership Enumeration
CVE-2026-2366
3.1 - Low
- March 12, 2026
A flaw was found in Keycloak. An authorization bypass vulnerability in the Keycloak Admin API allows any authenticated user, even those without administrative privileges, to enumerate the organization memberships of other users. This information disclosure occurs if the attacker knows the victim's unique identifier (UUID) and the Organizations feature is enabled.
Insecure Direct Object Reference / IDOR
Keycloak REST API Privilege Escalation via MFA Credential Delete
CVE-2026-3429
4.2 - Medium
- March 11, 2026
A flaw was identified in the Account REST API of Keycloak that allows a user authenticated at a lower security level to perform sensitive actions intended only for higher-assurance sessions. Specifically, an attacker who has already obtained a victims password can delete the victims registered MFA/OTP credential without first proving possession of that factor. The attacker can then register their own MFA device, effectively taking full control of the account. This weakness undermines the intended protection provided by multi-factor authentication.
Authorization
Keycloak UserResource viewusers Role IDP Disclosure
CVE-2026-3911
2.7 - Low
- March 11, 2026
A flaw was found in Keycloak. An authenticated user with the view-users role could exploit a vulnerability in the UserResource component. By accessing a specific administrative endpoint, this user could improperly retrieve user attributes that were configured to be hidden. This unauthorized information disclosure could expose sensitive user data.
Privacy violation
Keycloak SAML Broker Auth Bypass via Disabled Client
CVE-2026-3047
8.8 - High
- March 05, 2026
A flaw was found in org.keycloak.broker.saml. When a disabled Security Assertion Markup Language (SAML) client is configured as an Identity Provider (IdP)-initiated broker landing target, it can still complete the login process and establish a Single Sign-On (SSO) session. This allows a remote attacker to gain unauthorized access to other enabled clients without re-authentication, effectively bypassing security restrictions.
Authentication Bypass by Primary Weakness
Keycloak IdentityBroker Auth Bypass via Disabled IdP
CVE-2026-3009
8.1 - High
- March 05, 2026
A security flaw in the IdentityBrokerService.performLogin endpoint of Keycloak allows authentication to proceed using an Identity Provider (IdP) even after it has been disabled by an administrator. An attacker who knows the IdP alias can reuse a previously generated login request to bypass the administrative restriction. This undermines access control enforcement and may allow unauthorized authentication through a disabled external provider.
AuthZ
Keycloak WebAuthn Auth Attestation Bypass (fmt none)
CVE-2025-12150
3.1 - Low
- February 27, 2026
A flaw was found in Keycloaks WebAuthn registration component. This vulnerability allows an attacker to bypass the configured attestation policy and register untrusted or forged authenticators via submission of an attestation object with fmt: "none", even when the realm is configured to require direct attestation. This can lead to weakened authentication integrity and unauthorized authenticator registration.
Improper Verification of Cryptographic Signature
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Red Hat Build Keycloak or by Red Hat? Click the Watch button to subscribe.
