Redhat Build_of_keycloak
29 CVEs affecting Redhat Build_of_keycloak. Latest disclosed: 2026-05-28. Critical: 0, High: 5.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2026-7504 | High | 8.1 | 2026-05-19 | A flaw was found in Keycloak's URL validation logic during redirect operations. By crafting a malicious request, an attacker could bypass validation to redirec… |
CVE-2026-7507 | High | 7.5 | 2026-05-19 | A session fixation vulnerability was found in Keycloak's login-actions endpoints. An unauthenticated attacker could exploit this flaw by pre-creating an authen… |
CVE-2026-7307 | High | 7.5 | 2026-05-19 | A flaw was found in Keycloak. A remote, unauthenticated attacker can send a specially crafted XML input to the Security Assertion Markup Language (SAML) endpoi… |
CVE-2026-9795 | High | 7.3 | 2026-05-28 | A flaw was found in Keycloak's Fine-Grained Admin Permissions (FGAPv2) feature. An administrator with limited client management permissions can exploit this vu… |
CVE-2026-7571 | High | 7.1 | 2026-05-19 | A flaw was found in Keycloak. A low-privilege user, with knowledge of user credentials and client ID, can bypass a security control intended to disable the imp… |
CVE-2026-37980 | Medium | 6.9 | 2026-04-14 | A flaw was found in Keycloak, specifically in the organization selection login page. A remote attacker with `manage-realm` or `manage-organizations` administra… |
CVE-2026-9802 | Medium | 6.8 | 2026-05-28 | A flaw was found in Keycloak. When revokeRefreshToken=true is enabled and persistent session storage is in use, a server restart can reset internal timing mech… |
CVE-2026-9704 | Medium | 6.8 | 2026-05-27 | A flaw was found in Keycloak. An authenticated user with low privileges can exploit this vulnerability by sending an oversized subject_token JSON Web Token (JW… |
CVE-2026-4630 | Medium | 6.8 | 2026-05-19 | A flaw was found in Keycloak. An authenticated client could exploit an Insecure Direct Object Reference (IDOR) vulnerability in the Authorization Services Prot… |
CVE-2026-37982 | Medium | 6.8 | 2026-05-19 | A flaw was found in Keycloak. This authentication vulnerability allows a remote attacker to replay `ExecuteActionsActionToken` tokens within Keycloak's WebAuth… |
CVE-2026-9796 | Medium | 6.5 | 2026-05-28 | A flaw was found in Keycloak. An authenticated administrator with the `manage-clients` role can exploit a Time-of-check to time-of-use (TOCTOU) vulnerability i… |
CVE-2026-9792 | Medium | 6.5 | 2026-05-28 | A flaw was found in Keycloak's Client Policies, specifically within the `org.keycloak.protocol.oidc` component. When certain condition providers (client-type… |
CVE-2026-37979 | Medium | 6.5 | 2026-05-19 | A flaw was found in Keycloak. This access control vulnerability in Keycloak's OpenID Connect (OIDC) token introspection endpoint allows a confidential client t… |
CVE-2025-7784 | Medium | 6.5 | 2025-07-18 | A flaw was found in the Keycloak identity and access management system when Fine-Grained Admin Permissions(FGAPv2) are enabled. An administrative user with the… |
CVE-2026-9087 | Medium | 6.4 | 2026-05-20 | A flaw was found in Keycloak. The cross-session verification proof is keyed only by (local userId, idpAlias) and is not bound to the upstream identity that was… |
CVE-2026-9793 | Medium | 5.9 | 2026-05-28 | A flaw was found in Keycloak. When a JSON Web Encryption (JWE) encrypted request object is submitted, Keycloak may incorrectly process unsigned claims if the d… |
CVE-2026-8922 | Medium | 5.4 | 2026-05-19 | A flaw was found in Keycloak. When both realm-level and client-level `notBefore` revocation policies are configured, Keycloak's OpenID Connect (OIDC) Introspec… |
CVE-2026-7500 | Medium | 5.4 | 2026-04-30 | When Keycloak is started with `--features-disabled=account,account-api`, the Account REST API is only partially disabled. Five endpoints under the versioned pa… |
CVE-2026-9803 | Medium | 5.3 | 2026-05-28 | A flaw was found in Keycloak's ClientRegistrationAuth component. A remote unauthenticated attacker can exploit this vulnerability by sending a specially crafte… |
CVE-2026-9794 | Medium | 5.3 | 2026-05-28 | A flaw was found in Keycloak. A remote, unauthenticated attacker can exploit this vulnerability by sending specially crafted SOAP requests to the SAML ECP (Sec… |