Red Hat Single Sign On

Keycloak Docker v2 Auth: Tokens Issued Post-Disable (CVE-2026-2733)
CVE-2026-2733 3.8 - Low - February 19, 2026

A flaw was identified in the Docker v2 authentication endpoint of Keycloak, where tokens continue to be issued even after a Docker registry client has been administratively disabled. This means that turning the client Enabled setting to OFF does not fully prevent access. As a result, previously valid credentials can still be used to obtain authentication tokens. This weakens administrative controls and could allow unintended access to container registry resources.

AuthZ

Undertow OOM via large servlet param names
CVE-2024-4027 7.5 - High - January 30, 2026

A flaw was found in Undertow. Servlets using a method that calls HttpServletRequestImpl.getParameterNames() can cause an OutOfMemoryError when the client sends a request with large parameter names. This issue can be exploited by an unauthorized user to cause a remote denial-of-service (DoS) attack.

Improper Input Validation

Keycloak SAML NotOnOrAfter Validation Bypass Enables Session Extension
CVE-2026-1190 3.1 - Low - January 26, 2026

A flaw was found in Keycloak's SAML brokering functionality. When Keycloak is configured as a client in a Security Assertion Markup Language (SAML) setup, it fails to validate the `NotOnOrAfter` timestamp within the `SubjectConfirmationData`. This allows an attacker to delay the expiration of SAML responses, potentially extending the time a response is considered valid and leading to unexpected session durations or resource consumption.

Missing XML Validation

Hibernate Second-Order SQLi via InlineIdsOrClauseBuilder
CVE-2026-0603 8.3 - High - January 23, 2026

A flaw was found in Hibernate. A remote attacker with low privileges could exploit a second-order SQL injection vulnerability by providing specially crafted, unsanitized non-alphanumeric characters in the ID column when the InlineIdsOrClauseBuilder is used. This could lead to sensitive information disclosure, such as reading system files, and allow for data manipulation or deletion within the application's database, resulting in an application level denial of service.

SQL Injection

Keycloak Refresh Token Rotation Bypass via Atomicity Flaw
CVE-2026-1035 3.1 - Low - January 21, 2026

A flaw was found in the Keycloak server during refresh token processing, specifically in the TokenManager class responsible for enforcing refresh token reuse policies. When strict refresh token rotation is enabled, the validation and update of refresh token usage are not performed atomically. This allows concurrent refresh requests to bypass single-use enforcement and issue multiple access tokens from the same refresh token. As a result, Keycloaks refresh token rotation hardening can be undermined.

TOCTTOU

Keycloak OIDC DCR leaks internal via arbitrary jwks_uri
CVE-2026-1180 5.8 - Medium - January 20, 2026

A flaw was identified in Keycloaks OpenID Connect Dynamic Client Registration feature when clients authenticate using private_key_jwt. The issue allows a client to specify an arbitrary jwks_uri, which Keycloak then retrieves without validating the destination. This enables attackers to coerce the Keycloak server into making HTTP requests to internal or restricted network resources. As a result, attackers can probe internal services and cloud metadata endpoints, creating an information disclosure and reconnaissance risk.

SSRF

Undertow Host Header Validation Flaw Enables Cache Poisoning
CVE-2025-12543 9.6 - Critical - January 07, 2026

A flaw was found in the Undertow HTTP server core, which is used in WildFly, JBoss EAP, and other Java applications. The Undertow library fails to properly validate the Host header in incoming HTTP requests.As a result, requests containing malformed or malicious Host headers are processed without rejection, enabling attackers to poison caches, perform internal network scans, or hijack user sessions.

Improper Input Validation

Undertow OOM DoS via Large application/x-www-form-urlencoded
CVE-2024-3884 7.5 - High - December 03, 2025

A flaw was found in Undertow that can cause remote denial of service attacks. When the server uses the FormEncodedDataDefinition.doParse(StreamSourceChannel) method to parse large form data encoding with application/x-www-form-urlencoded, the method will cause an OutOfMemory issue. This flaw allows unauthorized users to cause a remote denial of service (DoS) attack.

Improper Input Validation

Red Hat SSO Open Redirect in OpenID Connect Logout
CVE-2025-12789 6.1 - Medium - November 06, 2025

A flaw was found in Red Hat Single Sign-On. This issue is an Open Redirect vulnerability that occurs during the logout process. The redirect_uri parameter associated with the openid-connect logout protocol does not properly validate the provided URL.

Open Redirect

Undertow DoS via MadeYouReset Server-Reset Abuse
CVE-2025-9784 7.5 - High - September 02, 2025

A flaw was found in Undertow where malformed client requests can trigger server-side stream resets without triggering abuse counters. This issue, referred to as the "MadeYouReset" attack, allows malicious clients to induce excessive server workload by repeatedly causing server-side stream aborts. While not a protocol bug, this highlights a common implementation weakness that can be exploited to cause a denial of service (DoS).

Allocation of Resources Without Limits or Throttling

Keycloak FGAPv2 Priv Escalation via Manage-Users Role
CVE-2025-7784 6.5 - Medium - July 18, 2025

A flaw was found in the Keycloak identity and access management system when Fine-Grained Admin Permissions(FGAPv2) are enabled. An administrative user with the manage-users role can escalate their privileges to realm-admin due to improper privilege enforcement. This vulnerability allows unauthorized elevation of access rights, compromising the intended separation of administrative duties and posing a security risk to the realm.

Improper Privilege Management

Keycloak Cert Trust Skip via VERIFICATION POLICY=ALL
CVE-2025-3501 8.2 - High - April 29, 2025

A flaw was found in Keycloak. By setting a verification policy to 'ALL', the trust store certificate verification is skipped, which is unintended.

Improper Validation of Certificate with Host Mismatch

Keycloak JWT Cache OOM DoS via Long Expiration Tokens
CVE-2025-2559 4.9 - Medium - March 25, 2025

A flaw was found in Keycloak. When the configuration uses JWT tokens for authentication, the tokens are cached until expiration. If a client uses JWT tokens with an excessively long expiration time, for example, 24 or 48 hours, the cache can grow indefinitely, leading to an OutOfMemoryError. This issue could result in a denial of service condition, preventing legitimate users from accessing the system.

Allocation of Resources Without Limits or Throttling

Wildfly Elytron CLI Brute Force Vulnerability
CVE-2025-23368 8.1 - High - March 04, 2025

A flaw was found in Wildfly Elytron integration. The component does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame, making it more susceptible to brute force attacks via CLI.

Improper Restriction of Excessive Authentication Attempts

Keycloak Admin XSS via Malicious Permission Payload
CVE-2024-4028 3.8 - Low - February 18, 2025

A vulnerability was found in Keycloak. This issue may allow a privileged attacker to use a malicious payload as the permission while creating items (Resource and Permissions) from the admin console, leading to a stored cross-site scripting (XSS) attack.

Improper Input Validation

serialize-javascript XSS via unsanitized regex input
CVE-2024-11831 5.4 - Medium - February 10, 2025

A flaw was found in npm-serialize-javascript. The vulnerability occurs because the serialize-javascript module does not properly sanitize certain inputs, such as regex or other JavaScript object types, allowing an attacker to inject malicious code. This code could be executed when deserialized by a web browser, causing Cross-site scripting (XSS) attacks. This issue is critical in environments where serialized data is sent to web clients, potentially compromising the security of the website or web application using this package.

XSS

Wildfly RBAC flaw enables unauthorized suspend/resume of server
CVE-2025-23367 6.5 - Medium - January 30, 2025

A flaw was found in the Wildfly Server Role Based Access Control (RBAC) provider. When authorization to control management operations is secured using the Role Based Access Control provider, a user without the required privileges can suspend or resume the server. A user with a Monitor or Auditor role is supposed to have only read access permissions and should not be able to suspend the server. The vulnerability is caused by the Suspend and Resume handlers not performing authorization checks to validate whether the current user has the required permissions to proceed with the action.

Authorization

Keycloak Auth Bypass via AD Password Reset
CVE-2025-0604 5.4 - Medium - January 22, 2025

A flaw was found in Keycloak. When an Active Directory user resets their password, the system updates it without performing an LDAP bind to validate the new credentials against AD. This vulnerability allows users whose AD accounts are expired or disabled to regain access in Keycloak, bypassing AD restrictions. The issue enables authentication bypass and could allow unauthorized access under certain conditions.

authentification

Keycloak Privilege Escalation via Vault File Access
CVE-2024-10492 - November 25, 2024

A vulnerability was found in Keycloak. A user with high privileges could read sensitive information from a Vault file that is not within the expected context. This attacker must have previous high access to the Keycloak server in order to perform resource creation, for example, an LDAP provider configuration and set up a Vault read file, which will only inform whether that file exists or not.

External Control of File Name or Path

Keycloak-services: Denial of Service via Regex Complexity in SearchQueryUtils
CVE-2024-10270 6.5 - Medium - November 25, 2024

A vulnerability was found in the Keycloak-services package. If untrusted data is passed to the SearchQueryUtils method, it could lead to a denial of service (DoS) scenario by exhausting system resources due to a Regex complexity.

ReDoS

Keycloak Information Disclosure Vulnerability in Build Process
CVE-2024-10451 5.9 - Medium - November 25, 2024

A flaw was found in Keycloak. This issue occurs because sensitive runtime values, such as passwords, may be captured during the Keycloak build process and embedded as default values in bytecode, leading to unintended information disclosure. In Keycloak 26, sensitive data specified directly in environment variables during the build process is also stored as a default values, making it accessible during runtime. Indirect usage of environment variables for SPI options and Quarkus properties is also vulnerable due to unconditional expansion by PropertyMapper logic, capturing sensitive data as default values in all Keycloak versions up to 26.0.2.

Use of Hard-coded Credentials

XSS in WildFly Deployment System Enables RCE
CVE-2024-10234 6.1 - Medium - October 22, 2024

A vulnerability was found in Wildfly, where a user may perform Cross-site scripting in the Wildfly deployment system. This flaw allows an attacker or insider to execute a deployment with a malicious payload, which could trigger undesired behavior against the server.

XSS

Keycloak REST API Privilege Escalation (CVE-2024-3656)
CVE-2024-3656 8.1 - High - October 09, 2024

A flaw was found in Keycloak. Certain endpoints in Keycloak's admin REST API allow low-privilege users to access administrative functionalities. This flaw allows users to perform actions reserved for administrators, potentially leading to data breaches or system compromise.

Information Disclosure

Keycloak XMLSignatureUtil flaw: SAML sig validation bypass for privilege escalation
CVE-2024-8698 7.7 - High - September 19, 2024

A flaw exists in the SAML signature validation method within the Keycloak XMLSignatureUtil class. The method incorrectly determines whether a SAML signature is for the full document or only for specific assertions based on the position of the signature in the XML document, rather than the Reference element used to specify the signed element. This flaw allows attackers to create crafted responses that can bypass the validation, potentially leading to privilege escalation or impersonation attacks.

Improper Verification of Cryptographic Signature

Keycloak Redirect URI: http://localhost Misconfig allows session hijack
CVE-2024-8883 6.1 - Medium - September 19, 2024

A misconfiguration flaw was found in Keycloak. This issue can allow an attacker to redirect users to an arbitrary URL if a 'Valid Redirect URI' is set to http://localhost or http://127.0.0.1, enabling sensitive information such as authorization codes to be exposed to the attacker, potentially leading to session hijacking.

Open Redirect

Keycloak DoS via Unbounded Attribute Values
CVE-2023-6841 7.5 - High - September 10, 2024

A denial of service vulnerability was found in keycloak where the amount of attributes per object is not limited,an attacker by sending repeated HTTP requests could cause a resource exhaustion when the application send back rows with long attribute values.

Improper Handling of Extra Values

Keycloak SAML adapters: session fixation via stale JSESSIONID cookie
CVE-2024-7341 7.1 - High - September 09, 2024

A session fixation issue was discovered in the SAML adapters provided by Keycloak. The session ID and JSESSIONID cookie are not changed at login time, even when the turnOffChangeSessionIdOnLogin option is configured. This flaw allows an attacker who hijacks the current session before authentication to trigger session fixation.

Session Fixation

Keycloak Login Timing Bypass Allows Exceeding Brute Force Limits
CVE-2024-4629 6.5 - Medium - September 03, 2024

A vulnerability was found in Keycloak. This flaw allows attackers to bypass brute force protection by exploiting the timing of login attempts. By initiating multiple login requests simultaneously, attackers can exceed the configured limits for failed attempts before the system locks them out. This timing loophole enables attackers to make more guesses at passwords than intended, potentially compromising account security on affected systems.

Improper Enforcement of a Single, Unique Action

Undertow ProxyProtocolReadListener StringBuilder reuse info-leak
CVE-2024-7885 7.5 - High - August 21, 2024

A vulnerability was found in Undertow where the ProxyProtocolReadListener reuses the same StringBuilder instance across multiple requests. This issue occurs when the parseProxyProtocolV1 method processes multiple requests on the same HTTP connection. As a result, different requests may share the same StringBuilder instance, potentially leading to information leakage between requests or responses. In some cases, a value from a previous request or response may be erroneously reused, which could lead to unintended data exposure. This issue primarily results in errors and connection termination but creates a risk of data leakage in multi-request environments.

Race Condition

Undertow MaxAge Default -1 Exposes HTTP Learning-Push handler
CVE-2024-3653 5.3 - Medium - July 08, 2024

A vulnerability was found in Undertow. This issue requires enabling the learning-push handler in the server's config, which is disabled by default, leaving the maxAge config in the handler unconfigured. The default is -1, which makes the handler vulnerable. If someone overwrites that config, the server is not subject to the attack. The attacker needs to be able to reach the server with a normal HTTP request.

Memory Leak

Undertow Chunked DoS: Missing 0\r\n Termination in Java 17 TLSv1.3
CVE-2024-5971 7.5 - High - July 08, 2024

A vulnerability was found in Undertow, where the chunked response hangs after the body was flushed. The response headers and body were sent but the client would continue waiting as Undertow does not send the expected 0\r\n termination of the chunked response. This results in uncontrolled resource consumption, leaving the server side to a denial of service attack. This happens only with Java 17 TLSv1.3 scenarios.

Stack Exhaustion

Undertow AJP Path Decoding Race Cond. DOS
CVE-2024-6162 7.5 - High - June 20, 2024

A vulnerability was found in Undertow, where URL-encoded request paths can be mishandled during concurrent requests on the AJP listener. This issue arises because the same buffer is used to decode the paths for multiple requests simultaneously, leading to incorrect path information being processed. As a result, the server may attempt to access the wrong path, causing errors such as "404 Not Found" or other application failures. This flaw can potentially lead to a denial of service, as legitimate resources become inaccessible due to the path mix-up.

Resource Exhaustion

Keycloak LDAP Endpoint: Admin Can Flip Connection URL to Steal Bind Creds
CVE-2024-5967 2.7 - Low - June 18, 2024

A vulnerability was found in Keycloak. The LDAP testing endpoint allows changing the Connection URL  independently without re-entering the currently configured LDAP bind credentials. This flaw allows an attacker with admin access (permission manage-realm) to change the LDAP host URL ("Connection URL") to a machine they control. The Keycloak server will connect to the attacker's host and try to authenticate with the configured credentials, thus leaking them to the attacker. As a consequence, an attacker who has compromised the admin console or compromised a user with sufficient privileges can leak domain credentials and attack the domain.

Incorrect Default Permissions

Keycloak PAR Cookie Plaintext Disclosure (CVE20244540)
CVE-2024-4540 7.5 - High - June 03, 2024

A flaw was found in Keycloak in OAuth 2.0 Pushed Authorization Requests (PAR). Client-provided parameters were found to be included in plain text in the KC_RESTART cookie returned by the authorization server's HTTP response to a `request_uri` authorization request, possibly leading to an information disclosure vulnerability.

Information Disclosure

Wildfly Mgt Intf DoS via Unbounded Socket Connections
CVE-2024-4029 4.1 - Medium - May 02, 2024

A vulnerability was found in Wildflys management interface. Due to the lack of limitation of sockets for the management interface, it may be possible to cause a denial of service hitting the nofile limit as there is no possibility to configure or set a maximum number of connections.

Allocation of Resources Without Limits or Throttling

JBeret Core: DB credentials exposed via dbProperties logging
CVE-2024-1102 6.5 - Medium - April 25, 2024

A vulnerability was found in jberet-core logging. An exception in 'dbProperties' might display user credentials such as the username and password for the database-connection.

Unprotected Transport of Credentials

Keycloak Log Injection via WebAuthn Auth Form
CVE-2023-6484 5.3 - Medium - April 25, 2024

A log injection flaw was found in Keycloak. A text string may be injected through the authentication form when using the WebAuthn authentication mode. This issue may have a minor impact to the logs integrity.

Improper Output Neutralization for Logs

Keycloak Re-authentication Session Hijacking (prompt=login)
CVE-2023-6787 6.5 - Medium - April 25, 2024

A flaw was found in Keycloak that occurs from an error in the re-authentication mechanism within org.keycloak.authentication. This flaw allows hijacking an active Keycloak session by triggering a new authentication process with the query parameter "prompt=login," prompting the user to re-enter their credentials. If the user cancels this re-authentication by selecting "Restart login," an account takeover may occur, as the new session, with a different SUB, will possess the same SID as the previous session.

authentification

Keycloak DCR RegEx flaw enables unauthorized client registration
CVE-2023-6544 5.4 - Medium - April 25, 2024

A flaw was found in the Keycloak package. This issue occurs due to a permissive regular expression hardcoded for filtering which allows hosts to register a dynamic client. A malicious user with enough information about the environment could jeopardize an environment with this specific Dynamic Client Registration and TrustedDomain configuration previously unauthorized.

Permissive Regular Expression

Keycloak XSS via Malicious ACS URLs (CVE-2023-6717)
CVE-2023-6717 6 - Medium - April 25, 2024

A flaw was found in the SAML client registration in Keycloak that could allow an administrator to register malicious JavaScript URIs as Assertion Consumer Service POST Binding URLs (ACS), posing a Cross-Site Scripting (XSS) risk. This issue may allow a malicious admin in one realm or a client with registration access to target users in different realms or applications, executing arbitrary JavaScript in their contexts upon form submission. This can enable unauthorized access and harmful actions, compromising the confidentiality, integrity, and availability of the complete KC instance.

XSS

Keycloak Authentication Bypass via Unvalidated Client Step-Up
CVE-2023-3597 5 - Medium - April 25, 2024

A flaw was found in Keycloak, where it does not correctly validate its client step-up authentication in org.keycloak.authentication. This flaw allows a remote user authenticated with a password to register a false second authentication factor along with an existing one and bypass authentication.

authentification

Keycloak OIDC checkLoginIframe DoS via unvalidated cross-origin messages
CVE-2024-1249 7.4 - High - April 17, 2024

A flaw was found in Keycloak's OIDC component in the "checkLoginIframe," which allows unvalidated cross-origin messages. This flaw allows attackers to coordinate and send millions of requests in seconds using simple code, significantly impacting the application's availability without proper origin validation for incoming messages.

Origin Validation Error

Keycloak Redirect URI Validation Bypass via Wildcard URIs
CVE-2024-1132 8.1 - High - April 17, 2024

A flaw was found in Keycloak, where it does not properly validate URLs included in a redirect. This issue could allow an attacker to construct a malicious request to bypass validation and access other URLs and sensitive information within the domain or conduct further attacks. This flaw affects any client that utilizes a wildcard in the Valid Redirect URIs field, and requires user interaction within the malicious URL.

Directory traversal

Xnio NotifierState Chain Overflow Uncontrolled Resource DoS
CVE-2023-5685 7.5 - High - March 22, 2024

A flaw was found in XNIO. The XNIO NotifierState that can cause a Stack Overflow Exception when the chain of notifier states becomes problematically large can lead to uncontrolled resource management and a possible denial of service (DoS).

Resource Exhaustion

Remote unauthenticated attacker can block accounts in Keycloak
CVE-2024-1722 3.7 - Low - February 29, 2024

A flaw was found in Keycloak. In certain conditions, this issue may allow a remote unauthenticated attacker to block other accounts from logging in.

Overly Restrictive Account Lockout Mechanism

Undertow WriteTimeoutStreamSinkConduit Causing Memory/File Exhaustion
CVE-2024-1635 7.5 - High - February 19, 2024

A vulnerability was found in Undertow. This vulnerability impacts a server that supports the wildfly-http-client protocol. Whenever a malicious user opens and closes a connection with the HTTP port of the server and then closes the connection immediately, the server will end with both memory and open file limits exhausted at some point, depending on the amount of memory available. At HTTP upgrade to remoting, the WriteTimeoutStreamSinkConduit leaks connections if RemotingConnection is closed by Remoting ServerConnectionOpenListener. Because the remoting connection originates in Undertow as part of the HTTP upgrade, there is an external layer to the remoting connection. This connection is unaware of the outermost layer when closing the connection during the connection opening procedure. Hence, the Undertow WriteTimeoutStreamSinkConduit is not notified of the closed connection in this scenario. Because WriteTimeoutStreamSinkConduit creates a timeout task, the whole dependency tree leaks via that task, which is added to XNIO WorkerThread. So, the workerThread points to the Undertow conduit, which contains the connections and causes the leak.

Resource Exhaustion

Undertow PT: Remote Attacker Can Access Privileged Files via Malformed HTTP
CVE-2024-1459 5.3 - Medium - February 12, 2024

A path traversal vulnerability was found in Undertow. This issue may allow a remote attacker to append a specially-crafted sequence to an HTTP request for an application deployed to JBoss EAP, which may permit access to privileged or restricted files and directories.

Path Traversal: '../filedir'

Keycloak Redirect URI Validation Bypass Token Theft
CVE-2023-6291 7.1 - High - January 26, 2024

A flaw was found in the redirect_uri validation logic in Keycloak. This issue may allow a bypass of otherwise explicitly allowed hosts. A successful attack may lead to an access token being stolen, making it possible for the attacker to impersonate other users.

Open Redirect

Keycloak JARM form_post.jwt Wildcard Exploit Leaks Auth Tokens
CVE-2023-6927 4.6 - Medium - December 18, 2023

A flaw was found in Keycloak. This issue may allow an attacker to steal authorization codes or tokens from clients using a wildcard in the JARM response mode "form_post.jwt" which could be used to bypass the security patch implemented to address CVE-2023-6134.

Open Redirect

Java: Infinispan Unmarshal OOM DoS from Circular Object Ref
CVE-2023-5236 4.4 - Medium - December 18, 2023

A flaw was found in Infinispan, which does not detect circular object references when unmarshalling. An authenticated attacker with sufficient permissions could insert a maliciously constructed object into the cache and use it to cause out of memory errors and achieve a denial of service.