Red Hat Keycloak

Keycloak UMA Policy Bypass via Owner Check Leak
CVE-2025-14778 5.4 - Medium - February 09, 2026

A flaw was found in Keycloak. A significant Broken Access Control vulnerability exists in the UserManagedPermissionService (UMA Protection API). When updating or deleting a UMA policy associated with multiple resources, the authorization check only verifies the caller's ownership against the first resource in the policy's list. This allows a user (Owner A) who owns one resource (RA) to update a shared policy and modify authorization rules for other resources (e.g., RB) in that same policy, even if those other resources are owned by a different user (Owner B). This constitutes a horizontal privilege escalation.

Incorrect Privilege Assignment

Keycloak JWT Signature Bypass Allows Unauthorized Org Self-Registration
CVE-2026-1529 8.1 - High - February 09, 2026

A flaw was found in Keycloak. An attacker can exploit this vulnerability by modifying the organization ID and target email within a legitimate invitation token's JSON Web Token (JWT) payload. This lack of cryptographic signature verification allows the attacker to successfully self-register into an unauthorized organization, leading to unauthorized access.

Improper Verification of Cryptographic Signature

Keycloak TLS 1.2 Renegotiation DoS (unauthenticated, CPU exhaustion)
CVE-2025-11419 7.5 - High - December 23, 2025

A flaw was found in Keycloak. This vulnerability allows an unauthenticated remote attacker to cause a denial of service (DoS) by repeatedly initiating TLS 1.2 client-initiated renegotiation requests to exhaust server CPU resources, making the service unavailable.

Allocation of Resources Without Limits or Throttling

Keycloak Admin API IDOR via ResourceSetService
CVE-2025-14777 6 - Medium - December 16, 2025

A flaw was found in Keycloak. An IDOR (Broken Access Control) vulnerability exists in the admin API endpoints for authorization resource management, specifically in ResourceSetService and PermissionTicketService. The system checks authorization against the resourceServer (client) ID provided in the API request, but the backend database lookup and modification operations (findById, delete) only use the resourceId. This mismatch allows an authenticated attacker with fine-grained admin permissions for one client (e.g., Client A) to delete or update resources belonging to another client (Client B) within the same realm by supplying a valid resource ID.

Authentication Bypass by Alternate Name

Keycloak Admin REST API Info Disclosure via /roles endpoint
CVE-2025-14082 2.7 - Low - December 10, 2025

A flaw was found in Keycloak Admin REST (Representational State Transfer) API. This vulnerability allows information disclosure of sensitive role metadata via insufficient authorization checks on the /admin/realms/{realm}/roles endpoint.

Authorization

Keycloak LDAP Federation Deserialization via Malicious LDAP (CVE-2025-13467)
CVE-2025-13467 5.5 - Medium - November 25, 2025

A flaw was found in the Keycloak LDAP User Federation provider. This vulnerability allows an authenticated realm administrator to trigger deserialization of untrusted Java objects via a malicious LDAP server configuration.

Marshaling, Unmarshaling

Keycloak JDWP debug mode auto bind to 0.0.0.0 RCE
CVE-2025-11538 6.8 - Medium - November 13, 2025

A vulnerability exists in Keycloak's server distribution where enabling debug mode (--debug <port>) insecurely defaults to binding the Java Debug Wire Protocol (JDWP) port to all network interfaces (0.0.0.0). This exposes the debug port to the local network, allowing an attacker on the same network segment to attach a remote debugger and achieve remote code execution within the Keycloak Java virtual machine.

Binding to an Unrestricted IP Address

Keycloak Session ID Reuse Allows Token Hijacking
CVE-2025-12390 6 - Medium - October 28, 2025

A flaw was found in Keycloak. In Keycloak where a user can accidentally get access to another user's session if both use the same device and browser. This happens because Keycloak sometimes reuses session identifiers and doesnt clean up properly during logout when browser cookies are missing. As a result, one user may receive tokens that belong to another user.

Session Fixation

Keycloak | Relative Path Normalization flaw enabling /admin via HAProxy
CVE-2025-10939 3.7 - Low - October 28, 2025

A flaw was found in Keycloak. The Keycloak guides recommend to not expose /admin path to the outside in case the installation is using a proxy. The issue occurs at least via ha-proxy, as it can be tricked to using relative/non-normalized paths to access the /admin application path relative to /realms which is expected to be exposed.

DLL preloading

Keycloak Offline Session Persistence when Offline_Access scope removed
CVE-2025-12110 5.4 - Medium - October 23, 2025

A flaw was found in Keycloak. An offline session continues to be valid when the offline_access scope is removed from the client. The refresh token is accepted and you can continue to request new tokens for the session. As it can lead to a situation where an administrator removes the scope, and assumes that offline sessions are no longer available, but they are.

Insufficient Session Expiration

Keycloak Windows Path Traversal in Vault Key Handling (CVE-2025-10043)
CVE-2025-10043 - September 05, 2025

Keycloak: Unvalidated error_description param enables XSS/Phishing
CVE-2025-10044 4.3 - Medium - September 05, 2025

A flaw was found in Keycloak. Keycloaks account console and other pages accept arbitrary text in the error_description query parameter. This text is directly rendered in error pages without validation or sanitization. While HTML encoding prevents XSS, an attacker can craft URLs with misleading messages (e.g., fake support phone numbers or URLs), which are displayed within the trusted Keycloak UI. This creates a phishing vector, potentially tricking users into contacting malicious actors.

XSS

SMTP Injection in Keycloak Services via Email Registration
CVE-2025-8419 5.3 - Medium - August 06, 2025

A vulnerability was found in Keycloak-services. Special characters used during e-mail registration may perform SMTP Injection and unexpectedly send short unwanted e-mails. The email is limited to 64 characters (limited local part of the email), so the attack is limited to very shorts emails (subject and little data, the example is 60 chars). This flaw's only direct consequence is an unsolicited email being sent from the Keycloak server. However, this action could be a precursor for more sophisticated attacks.

CRLF Injection

Keycloak FGAPv2 Priv Escalation via Manage-Users Role
CVE-2025-7784 6.5 - Medium - July 18, 2025

A flaw was found in the Keycloak identity and access management system when Fine-Grained Admin Permissions(FGAPv2) are enabled. An administrative user with the manage-users role can escalate their privileges to realm-admin due to improper privilege enforcement. This vulnerability allows unauthorized elevation of access rights, compromising the intended separation of administrative duties and posing a security risk to the realm.

Improper Privilege Management

Keycloak IdP Merge flaw enabling phishing via email hijack
CVE-2025-7365 7.1 - High - July 10, 2025

A flaw was found in Keycloak. When an authenticated attacker attempts to merge accounts with another existing account during an identity provider (IdP) login, the attacker will subsequently be prompted to "review profile" information. This vulnerability allows the attacker to modify their email address to match that of a victim's account, triggering a verification email sent to the victim's email address. The attacker's email address is not present in the verification email content, making it a potential phishing opportunity. If the victim clicks the verification link, the attacker can gain access to the victim's account.

Origin Validation Error

Keycloak /admin/serverinfo Info Disclosure via Authenticated Access
CVE-2025-5416 2.7 - Low - June 20, 2025

A vulnerability has been identified in Keycloak that could lead to unauthorized information disclosure. While it requires an already authenticated user, the /admin/serverinfo endpoint can inadvertently provide sensitive environment information.

Exposure of Sensitive System Information to an Unauthorized Control Sphere

Keycloak org.keycloak.auth bypass of required actions (2FA)
CVE-2025-3910 5.4 - Medium - April 29, 2025

A flaw was found in Keycloak. The org.keycloak.authorization package may be vulnerable to circumventing required actions, allowing users to circumvent requirements such as setting up two-factor authentication.

authentification

Keycloak JWT Cache OOM DoS via Long Expiration Tokens
CVE-2025-2559 4.9 - Medium - March 25, 2025

A flaw was found in Keycloak. When the configuration uses JWT tokens for authentication, the tokens are cached until expiration. If a client uses JWT tokens with an excessively long expiration time, for example, 24 or 48 hours, the cache can grow indefinitely, leading to an OutOfMemoryError. This issue could result in a denial of service condition, preventing legitimate users from accessing the system.

Allocation of Resources Without Limits or Throttling

Keycloak Admin XSS via Malicious Permission Payload
CVE-2024-4028 3.8 - Low - February 18, 2025

A vulnerability was found in Keycloak. This issue may allow a privileged attacker to use a malicious payload as the permission while creating items (Resource and Permissions) from the admin console, leading to a stored cross-site scripting (XSS) attack.

Improper Input Validation

Keycloak Org Mapper Misassigns Org via Username/Email Pattern (CVE-2025-1391)
CVE-2025-1391 5.4 - Medium - February 17, 2025

A flaw was found in the Keycloak organization feature, which allows the incorrect assignment of an organization to a user if their username or email matches the organizations domain pattern. This issue occurs at the mapper level, leading to misrepresentation in tokens. If an application relies on these claims for authorization, it may incorrectly assume a user belongs to an organization they are not a member of, potentially granting unauthorized access or privileges.

Authorization

Keycloak Auth Bypass via AD Password Reset
CVE-2025-0604 5.4 - Medium - January 22, 2025

A flaw was found in Keycloak. When an Active Directory user resets their password, the system updates it without performing an LDAP bind to validate the new credentials against AD. This vulnerability allows users whose AD accounts are expired or disabled to regain access in Keycloak, bypassing AD restrictions. The issue enables authentication bypass and could allow unauthorized access under certain conditions.

authentification

Keycloak URL Placeholder Abuse Exposes Server Env Vars
CVE-2024-11736 4.9 - Medium - January 14, 2025

A vulnerability was found in Keycloak. Admin users may have to access sensitive server environment variables and system properties through user-configurable URLs. When configuring backchannel logout URLs or admin URLs, admin users can include placeholders like ${env.VARNAME} or ${PROPNAME}. The server replaces these placeholders with the actual values of environment variables or system properties during URL processing.

Exposure of Sensitive Information Through Environmental Variables

Keycloak: Sensitive Information Disclosure in JGroups Replication Configuration
CVE-2024-10973 5.7 - Medium - December 17, 2024

A vulnerability was found in Keycloak. The environment option `KC_CACHE_EMBEDDED_MTLS_ENABLED` does not work and the JGroups replication configuration is always used in plain text which can allow an attacker that has access to adjacent networks related to JGroups to read sensitive information.

Cleartext Transmission of Sensitive Information

Keycloak Privilege Escalation via Vault File Access
CVE-2024-10492 - November 25, 2024

A vulnerability was found in Keycloak. A user with high privileges could read sensitive information from a Vault file that is not within the expected context. This attacker must have previous high access to the Keycloak server in order to perform resource creation, for example, an LDAP provider configuration and set up a Vault read file, which will only inform whether that file exists or not.

External Control of File Name or Path

Keycloak Information Disclosure Vulnerability in Build Process
CVE-2024-10451 5.9 - Medium - November 25, 2024

A flaw was found in Keycloak. This issue occurs because sensitive runtime values, such as passwords, may be captured during the Keycloak build process and embedded as default values in bytecode, leading to unintended information disclosure. In Keycloak 26, sensitive data specified directly in environment variables during the build process is also stored as a default values, making it accessible during runtime. Indirect usage of environment variables for SPI options and Quarkus properties is also vulnerable due to unconditional expansion by PropertyMapper logic, capturing sensitive data as default values in all Keycloak versions up to 26.0.2.

Use of Hard-coded Credentials

Keycloak-services: Denial of Service via Regex Complexity in SearchQueryUtils
CVE-2024-10270 6.5 - Medium - November 25, 2024

A vulnerability was found in the Keycloak-services package. If untrusted data is passed to the SearchQueryUtils method, it could lead to a denial of service (DoS) scenario by exhausting system resources due to a Regex complexity.

ReDoS

Keycloak Server: Denial of Service via Improper Proxy Header Validation
CVE-2024-9666 4.7 - Medium - November 25, 2024

A vulnerability was found in the Keycloak Server. The Keycloak Server is vulnerable to a denial of service (DoS) attack due to improper handling of proxy headers. When Keycloak is configured to accept incoming proxy headers, it may accept non-IP values, such as obfuscated identifiers, without proper validation. This issue can lead to costly DNS resolution operations, which an attacker could exploit to tie up IO threads and potentially cause a denial of service. The attacker must have access to send requests to a Keycloak instance that is configured to accept proxy headers, specifically when reverse proxies do not overwrite incoming headers, and Keycloak is configured to trust these headers.

HTTP Request Smuggling

Keycloak: Improper Token Type Enforcement in Signature Validation
CVE-2023-0657 3.4 - Low - November 17, 2024

A flaw was found in Keycloak. This issue occurs due to improperly enforcing token types when validating signatures locally. This could allow an authenticated attacker to exchange a logout token for an access token and possibly gain access to data outside of enforced permissions.

Improper Check for Dropped Privileges

Keycloak LDAP Injection Vulnerability
CVE-2022-2232 7.5 - High - November 14, 2024

A flaw was found in the Keycloak package. This flaw allows an attacker to utilize an LDAP injection to bypass the username lookup or potentially perform other malicious actions.

Improper Input Validation

Keycloak REST API Privilege Escalation (CVE-2024-3656)
CVE-2024-3656 8.1 - High - October 09, 2024

A flaw was found in Keycloak. Certain endpoints in Keycloak's admin REST API allow low-privilege users to access administrative functionalities. This flaw allows users to perform actions reserved for administrators, potentially leading to data breaches or system compromise.

Information Disclosure

Keycloak XMLSignatureUtil flaw: SAML sig validation bypass for privilege escalation
CVE-2024-8698 7.7 - High - September 19, 2024

A flaw exists in the SAML signature validation method within the Keycloak XMLSignatureUtil class. The method incorrectly determines whether a SAML signature is for the full document or only for specific assertions based on the position of the signature in the XML document, rather than the Reference element used to specify the signed element. This flaw allows attackers to create crafted responses that can bypass the validation, potentially leading to privilege escalation or impersonation attacks.

Improper Verification of Cryptographic Signature

Keycloak DoS via Unbounded Attribute Values
CVE-2023-6841 7.5 - High - September 10, 2024

A denial of service vulnerability was found in keycloak where the amount of attributes per object is not limited,an attacker by sending repeated HTTP requests could cause a resource exhaustion when the application send back rows with long attribute values.

Improper Handling of Extra Values

Keycloak expired OTP tokens still valid 30s after expiry (FreeOTP)
CVE-2024-7318 4.8 - Medium - September 09, 2024

A vulnerability was found in Keycloak. Expired OTP codes are still usable when using FreeOTP when the OTP token period is set to 30 seconds (default). Instead of expiring and deemed unusable around 30 seconds in, the tokens are valid for an additional 30 seconds totaling 1 minute. A one time passcode that is valid longer than its expiration time increases the attack window for malicious actors to abuse the system and compromise accounts. Additionally, it increases the attack surface because at any given time, two OTPs are valid.

Use of a Key Past its Expiration Date

Keycloak SAML adapters: session fixation via stale JSESSIONID cookie
CVE-2024-7341 7.1 - High - September 09, 2024

A session fixation issue was discovered in the SAML adapters provided by Keycloak. The session ID and JSESSIONID cookie are not changed at login time, even when the turnOffChangeSessionIdOnLogin option is configured. This flaw allows an attacker who hijacks the current session before authentication to trigger session fixation.

Session Fixation

Keycloak Open Redirect via referrer_uri Phishing Risk
CVE-2024-7260 6.1 - Medium - September 09, 2024

An open redirect vulnerability was found in Keycloak. A specially crafted URL can be constructed where the referrer and referrer_uri parameters are made to trick a user to visit a malicious webpage. A trusted URL can trick users and automation into believing that the URL is safe, when, in fact, it redirects to a malicious server. This issue can result in a victim inadvertently trusting the destination of the redirect, potentially leading to a successful phishing attack or other types of attacks. Once a crafted URL is made, it can be sent to a Keycloak admin via email for example. This will trigger this vulnerability when the user visits the page and clicks the link. A malicious actor can use this to target users they know are Keycloak admins for further attacks. It may also be possible to bypass other domain-related security checks, such as supplying this as a OAuth redirect uri. The malicious actor can further obfuscate the redirect_uri using URL encoding, to hide the text of the actual malicious website domain.

Open Redirect

Keycloak Login Timing Bypass Allows Exceeding Brute Force Limits
CVE-2024-4629 6.5 - Medium - September 03, 2024

A vulnerability was found in Keycloak. This flaw allows attackers to bypass brute force protection by exploiting the timing of login attempts. By initiating multiple login requests simultaneously, attackers can exceed the configured limits for failed attempts before the system locks them out. This timing loophole enables attackers to make more guesses at passwords than intended, potentially compromising account security on affected systems.

Improper Enforcement of a Single, Unique Action

Keycloak LDAP Endpoint: Admin Can Flip Connection URL to Steal Bind Creds
CVE-2024-5967 2.7 - Low - June 18, 2024

A vulnerability was found in Keycloak. The LDAP testing endpoint allows changing the Connection URL  independently without re-entering the currently configured LDAP bind credentials. This flaw allows an attacker with admin access (permission manage-realm) to change the LDAP host URL ("Connection URL") to a machine they control. The Keycloak server will connect to the attacker's host and try to authenticate with the configured credentials, thus leaking them to the attacker. As a consequence, an attacker who has compromised the admin console or compromised a user with sufficient privileges can leak domain credentials and attack the domain.

Incorrect Default Permissions

Keycloak PAR Cookie Plaintext Disclosure (CVE20244540)
CVE-2024-4540 7.5 - High - June 03, 2024

A flaw was found in Keycloak in OAuth 2.0 Pushed Authorization Requests (PAR). Client-provided parameters were found to be included in plain text in the KC_RESTART cookie returned by the authorization server's HTTP response to a `request_uri` authorization request, possibly leading to an information disclosure vulnerability.

Cleartext Storage of Sensitive Information

Keycloak XSS via Malicious ACS URLs (CVE-2023-6717)
CVE-2023-6717 6 - Medium - April 25, 2024

A flaw was found in the SAML client registration in Keycloak that could allow an administrator to register malicious JavaScript URIs as Assertion Consumer Service POST Binding URLs (ACS), posing a Cross-Site Scripting (XSS) risk. This issue may allow a malicious admin in one realm or a client with registration access to target users in different realms or applications, executing arbitrary JavaScript in their contexts upon form submission. This can enable unauthorized access and harmful actions, compromising the confidentiality, integrity, and availability of the complete KC instance.

XSS

Keycloak Re-authentication Session Hijacking (prompt=login)
CVE-2023-6787 6.5 - Medium - April 25, 2024

A flaw was found in Keycloak that occurs from an error in the re-authentication mechanism within org.keycloak.authentication. This flaw allows hijacking an active Keycloak session by triggering a new authentication process with the query parameter "prompt=login," prompting the user to re-enter their credentials. If the user cancels this re-authentication by selecting "Restart login," an account takeover may occur, as the new session, with a different SUB, will possess the same SID as the previous session.

authentification

Keycloak DCR RegEx flaw enables unauthorized client registration
CVE-2023-6544 5.4 - Medium - April 25, 2024

A flaw was found in the Keycloak package. This issue occurs due to a permissive regular expression hardcoded for filtering which allows hosts to register a dynamic client. A malicious user with enough information about the environment could jeopardize an environment with this specific Dynamic Client Registration and TrustedDomain configuration previously unauthorized.

Permissive Regular Expression

Keycloak Authentication Bypass via Unvalidated Client Step-Up
CVE-2023-3597 5 - Medium - April 25, 2024

A flaw was found in Keycloak, where it does not correctly validate its client step-up authentication in org.keycloak.authentication. This flaw allows a remote user authenticated with a password to register a false second authentication factor along with an existing one and bypass authentication.

authentification

Keycloak Redirect URI Validation Bypass via Wildcard URIs
CVE-2024-1132 8.1 - High - April 17, 2024

A flaw was found in Keycloak, where it does not properly validate URLs included in a redirect. This issue could allow an attacker to construct a malicious request to bypass validation and access other URLs and sensitive information within the domain or conduct further attacks. This flaw affects any client that utilizes a wildcard in the Valid Redirect URIs field, and requires user interaction within the malicious URL.

Directory traversal

Keycloak redirect_uri Validation Bypass Enables Token Theft
CVE-2024-2419 7.1 - High - April 17, 2024

A flaw was found in Keycloak's redirect_uri validation logic. This issue may allow a bypass of otherwise explicitly allowed hosts. A successful attack may lead to the theft of an access token, making it possible for the attacker to impersonate other users. It is very similar to CVE-2023-6291.

Open Redirect

Remote unauthenticated attacker can block accounts in Keycloak
CVE-2024-1722 3.7 - Low - February 29, 2024

A flaw was found in Keycloak. In certain conditions, this issue may allow a remote unauthenticated attacker to block other accounts from logging in.

Overly Restrictive Account Lockout Mechanism

Keycloak 11.3 OAuth2 client_secret_jwt Auth Bypass
CVE-2023-40545 9.8 - Critical - February 06, 2024

Authentication bypass when an OAuth2 Client is using client_secret_jwt as its authentication method on affected 11.3 versions via specially crafted requests.

Missing Authentication for Critical Function

Keycloak Redirect URI Validation Bypass Token Theft
CVE-2023-6291 7.1 - High - January 26, 2024

A flaw was found in the redirect_uri validation logic in Keycloak. This issue may allow a bypass of otherwise explicitly allowed hosts. A successful attack may lead to an access token being stolen, making it possible for the attacker to impersonate other users.

Open Redirect

Keycloak JARM form_post.jwt Wildcard Exploit Leaks Auth Tokens
CVE-2023-6927 4.6 - Medium - December 18, 2023

A flaw was found in Keycloak. This issue may allow an attacker to steal authorization codes or tokens from clients using a wildcard in the JARM response mode "form_post.jwt" which could be used to bypass the security patch implemented to address CVE-2023-6134.

Open Redirect

OpenSSH <9.6 BPP handshake flaw allows integrity bypass (Terrapin attack)
CVE-2023-48795 5.9 - Medium - December 18, 2023

The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in chacha20-poly1305@openssh.com and (if CBC is used) the -etm@openssh.com MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, LANCOM LCOS and LANconfig, FileZilla before 3.66.4, Nova before 11.8, PKIX-SSH before 14.4, SecureCRT before 9.4.3, Transmit5 before 5.10.4, Win32-OpenSSH before 9.5.0.0p1-Beta, WinSCP before 6.2.2, Bitvise SSH Server before 9.32, Bitvise SSH Client before 9.33, KiTTY through 0.76.1.13, the net-ssh gem 7.2.0 for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust.

Improper Validation of Integrity Check Value

Keycloak Redirect Scheme Bypass Allows XSS via Wildcard Token
CVE-2023-6134 4.6 - Medium - December 14, 2023

A flaw was found in Keycloak that prevents certain schemes in redirects, but permits them if a wildcard is appended to the token. This issue could allow an attacker to submit a specially crafted request leading to cross-site scripting (XSS) or further attacks. This flaw is the result of an incomplete fix for CVE-2020-10748.

XSS