org.keycloak:keycloak-services
Maven79 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting org.keycloak:keycloak-servicespage 2 of 2
- CVE-2026-1190LOWCVSS 3.1EG 3.12026-01-26
vulnerable: 1.0-alpha-1 ... 9.0.3 (219 versions)
A flaw was found in Keycloak's SAML brokering functionality. When Keycloak is configured as a client in a Security Assertion Markup Language (SAML) setup, it fails to validate the `NotOnOrAfter` timestamp within the `SubjectConfirmationDat…
- CVE-2026-1486HIGHCVSS 8.8EG 8.8✓ Fixed in 26.4.92026-02-09
vulnerable: 1.0-alpha-1 ... 9.0.3 (216 versions)
A flaw was found in Keycloak. A vulnerability exists in the jwt-authorization-grant flow where the server fails to verify if an Identity Provider (IdP) is enabled before issuing tokens. The issuer lookup mechanism (lookupIdentityProviderFr…
- CVE-2026-1529HIGHCVSS 8.1EG 8.1✓ Fixed in 26.4.92026-02-09
vulnerable: 26.3.0 ... 26.4.7 (14 versions)
A flaw was found in Keycloak. An attacker can exploit this vulnerability by modifying the organization ID and target email within a legitimate invitation token's JSON Web Token (JWT) payload. This lack of cryptographic signature verificati…
- CVE-2026-2575MEDIUMCVSS 5.3EG 5.3✓ Fixed in 26.5.42026-03-18
vulnerable: 1.0-alpha-1 ... 9.0.3 (220 versions)
A flaw was found in Keycloak. An unauthenticated remote attacker can trigger an application level Denial of Service (DoS) by sending a highly compressed SAMLRequest through the SAML Redirect Binding. The server fails to enforce size limits…
- CVE-2026-2603HIGHCVSS 8.1EG 8.1✓ Fixed in 26.5.52026-03-18
vulnerable: 1.0-alpha-1 ... 9.0.3 (221 versions)
A flaw was found in Keycloak. A remote attacker could bypass security controls by sending a valid SAML response from an external Identity Provider (IdP) to the Keycloak SAML endpoint for IdP-initiated broker logins. This allows the attacke…
- CVE-2026-2733LOWCVSS 3.8EG 3.82026-02-19
vulnerable: 1.0-alpha-1 ... 9.0.3 (220 versions)
A flaw was identified in the Docker v2 authentication endpoint of Keycloak, where tokens continue to be issued even after a Docker registry client has been administratively disabled. This means that turning the client “Enabled” setting…
- CVE-2026-3121MEDIUMCVSS 6.5EG 6.5✓ Fixed in 26.5.62026-03-26
vulnerable: 1.0-alpha-1 ... 9.0.3 (222 versions)
A flaw was found in Keycloak. An administrator with `manage-clients` permission can exploit a misconfiguration where this permission is equivalent to `manage-permissions`. This allows the administrator to escalate privileges and gain contr…
- CVE-2026-3190MEDIUMCVSS 4.3EG 4.3✓ Fixed in 26.5.62026-03-26
vulnerable: 1.0-alpha-1 ... 9.0.3 (222 versions)
A flaw was found in Keycloak. The User-Managed Access (UMA) 2.0 Protection API endpoint for permission tickets fails to enforce the `uma_protection` role check. This allows any authenticated user with a token issued for a resource server c…
- CVE-2026-3429MEDIUMCVSS 4.2EG 4.22026-03-11
vulnerable: 1.0-alpha-1 ... 9.0.3 (223 versions)
A flaw was identified in the Account REST API of Keycloak that allows a user authenticated at a lower security level to perform sensitive actions intended only for higher-assurance sessions. Specifically, an attacker who has already obtain…
- CVE-2026-37977MEDIUMCVSS 5.3EG 3.72026-04-06
vulnerable: 1.0-alpha-1 ... 9.0.3 (224 versions)
A flaw was found in Keycloak. A remote attacker can exploit a Cross-Origin Resource Sharing (CORS) header injection vulnerability in Keycloak's User-Managed Access (UMA) token endpoint. This flaw occurs because the `azp` claim from a clien…
- CVE-2026-37978MEDIUMCVSS 4.9EG 4.9✓ Fixed in 26.6.22026-05-19
vulnerable: 1.0-alpha-1 ... 9.0.3 (226 versions)
A flaw was found in Keycloak. A low-privilege administrator with the 'view-clients' role can exploit this by invoking the 'evaluate-scopes' Admin API endpoints with an arbitrary user ID (userId) parameter. This vulnerability allows for cro…
- CVE-2026-37979MEDIUMCVSS 6.5EG 6.5✓ Fixed in 26.6.22026-05-19
vulnerable: 1.0-alpha-1 ... 9.0.3 (226 versions)
A flaw was found in Keycloak. This access control vulnerability in Keycloak's OpenID Connect (OIDC) token introspection endpoint allows a confidential client to bypass audience restrictions. An attacker-controlled client with valid credent…
- CVE-2026-37980MEDIUMCVSS 4.8EG 6.92026-04-14
vulnerable: 1.0-alpha-1 ... 9.0.3 (222 versions)
A flaw was found in Keycloak, specifically in the organization selection login page. A remote attacker with `manage-realm` or `manage-organizations` administrative privileges can exploit a Stored Cross-Site Scripting (XSS) vulnerability. T…
- CVE-2026-37982MEDIUMCVSS 6.8EG 6.8✓ Fixed in 26.6.22026-05-19
vulnerable: 1.0-alpha-1 ... 9.0.3 (226 versions)
A flaw was found in Keycloak. This authentication vulnerability allows a remote attacker to replay `ExecuteActionsActionToken` tokens within Keycloak's WebAuthn (Web Authentication) flow. By intercepting an execute-actions email link, an a…
- CVE-2026-3872HIGHCVSS 7.3EG 7.3✓ Fixed in 26.5.72026-04-02
vulnerable: 1.0-alpha-1 ... 9.0.3 (223 versions)
A flaw was found in Keycloak. This issue allows an attacker, who controls another path on the same web server, to bypass the allowed path in redirect Uniform Resource Identifiers (URIs) that use a wildcard. A successful attack may lead to …
- CVE-2026-3911LOWCVSS 2.7EG 2.72026-03-11
vulnerable: 1.0-alpha-1 ... 9.0.3 (222 versions)
A flaw was found in Keycloak. An authenticated user with the view-users role could exploit a vulnerability in the UserResource component. By accessing a specific administrative endpoint, this user could improperly retrieve user attributes …
- CVE-2026-4282HIGHCVSS 7.4EG 7.4✓ Fixed in 26.5.72026-04-02
vulnerable: 1.0-alpha-1 ... 9.0.3 (223 versions)
A flaw was found in Keycloak. The SingleUseObjectProvider, a global key-value store, lacks proper type and namespace isolation. This vulnerability allows an unauthenticated attacker to forge authorization codes. Successful exploitation can…
- CVE-2026-4325MEDIUMCVSS 5.3EG 5.3✓ Fixed in 26.5.72026-04-02
vulnerable: 1.0-alpha-1 ... 9.0.3 (223 versions)
A flaw was found in Keycloak. The SingleUseObjectProvider, a global key-value store, lacks proper type and namespace isolation. This vulnerability allows an attacker to delete arbitrary single-use entries, which can enable the replay of co…
- CVE-2026-4633LOWCVSS 3.7EG 3.7✓ Fixed in 26.4.122026-03-23
vulnerable: 1.0-alpha-1 ... 9.0.3 (216 versions)
Keycloak's identity-first login flow exposes user information A flaw was found in Keycloak. A remote attacker can exploit differential error messages during the identity-first login flow when Organizations are enabled. This vulnerability …
- CVE-2026-4634HIGHCVSS 7.5EG 7.5✓ Fixed in 26.5.72026-04-02
vulnerable: 1.0-alpha-1 ... 9.0.3 (223 versions)
A flaw was found in Keycloak. An unauthenticated attacker can exploit this vulnerability by sending a specially crafted POST request with an excessively long scope parameter to the OpenID Connect (OIDC) token endpoint. This leads to high r…
- CVE-2026-4636HIGHCVSS 8.1EG 8.1✓ Fixed in 26.5.72026-04-02
vulnerable: 1.0-alpha-1 ... 9.0.3 (223 versions)
A flaw was found in Keycloak. An authenticated user with the uma_protection role can bypass User-Managed Access (UMA) policy validation. This allows the attacker to include resource identifiers owned by other users in a policy creation req…
- CVE-2026-4874LOWCVSS 3.1EG 3.12026-03-26
vulnerable: 1.0-alpha-1 ... 9.0.3 (225 versions)
A flaw was found in Keycloak. An authenticated attacker can perform Server-Side Request Forgery (SSRF) by manipulating the `client_session_host` parameter during refresh token requests. This occurs when a Keycloak client is configured to u…
- CVE-2026-7500MEDIUMCVSS 5.4EG 5.42026-04-30
vulnerable: 1.0-alpha-1 ... 9.0.3 (226 versions)
When Keycloak is started with `--features-disabled=account,account-api`, the Account REST API is only partially disabled. Five endpoints under the versioned path `/account/v1alpha1` remain fully functional — including both read and write…
- CVE-2026-7504HIGHCVSS 8.1EG 8.1✓ Fixed in 26.6.22026-05-19
vulnerable: 1.0-alpha-1 ... 9.0.3 (226 versions)
A flaw was found in Keycloak's URL validation logic during redirect operations. By crafting a malicious request, an attacker could bypass validation to redirect users to unauthorized URLs, potentially leading to the exposure of sensitive i…
- CVE-2026-7507HIGHCVSS 7.5EG 7.5✓ Fixed in 26.6.22026-05-19
vulnerable: 1.0-alpha-1 ... 9.0.3 (226 versions)
A session fixation vulnerability was found in Keycloak's login-actions endpoints. An unauthenticated attacker could exploit this flaw by pre-creating an authentication session and tricking a victim into visiting a maliciously crafted link.…
- CVE-2026-7571HIGHCVSS 7.1EG 7.1✓ Fixed in 26.6.22026-05-19
vulnerable: 1.0-alpha-1 ... 9.0.3 (226 versions)
A flaw was found in Keycloak. A low-privilege user, with knowledge of user credentials and client ID, can bypass a security control intended to disable the implicit flow in OpenID Connect (OIDC) clients. By manipulating client data during …
- CVE-2026-8830MEDIUMCVSS 4.3EG 4.3✓ Fixed in 26.6.32026-05-19
vulnerable: 1.0-alpha-1 ... 9.0.3 (227 versions)
A flaw was found in Keycloak. An authenticated user can bypass configured WebAuthn policies during credential registration by manipulating client-side JavaScript. This occurs because the server-side processAction() fails to validate that t…
- CVE-2026-8922MEDIUMCVSS 5.4EG 5.42026-05-19
vulnerable: 1.0-alpha-1 ... 9.0.3 (227 versions)
A flaw was found in Keycloak. When both realm-level and client-level `notBefore` revocation policies are configured, Keycloak's OpenID Connect (OIDC) Introspection feature fails to properly honor the realm-level policy. This allows tokens …
- CVE-2026-9087HIGHCVSS 8.1EG 6.4✓ Fixed in 26.6.32026-05-20
vulnerable: 1.0-alpha-1 ... 9.0.3 (227 versions)
A flaw was found in Keycloak. The cross-session verification proof is keyed only by (local userId, idpAlias) and is not bound to the upstream identity that was actually verified, so a second upstream account on the same IdP can consume it …
Check whether org.keycloak:keycloak-services is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for org.keycloak:keycloak-services CVEs against the assets you own.
Start Free Scan →