pkg:Maven/org.keycloak:keycloak-services

共 74 筆 CVECRITICAL2HIGH21MEDIUM35LOW15

✅ 檢查你的版本

所有已知漏洞

  • CRITICAL10.0CVE-2022-4361Keycloak vulnerable to cross-site scripting when validating URI-schemes on SAML and OIDC
    from 0, < 21.1.2
  • CRITICAL9.8CVE-2022-1245Keycloak vulnerable to privilege escalation on Token Exchange feature
    from 0, < 18.0.0
  • HIGH8.8CVE-2026-1486Keycloak fails to verify if an Identity Provider (IdP) is enabled before issuing tokens
    >= 26.5.0, < 26.5.3
  • HIGH8.8CVE-2014-3709JBoss Keycloak CSRF Vulnerability
    from 0, < 1.0.3.Final
  • HIGH8.8CVE-2021-4133Improper Authorization in Keycloak
    from 0, < 15.1.1
  • HIGH8.7CVE-2023-0264Keycloak vulnerable to user impersonation via stolen UUID code
    from 0, < 21.0.1
  • HIGH8.2CVE-2025-3501Keycloak hostname verification
    from 0, < 26.2.2
  • HIGH8.1CVE-2026-4636Keycloak: UMA Policy Resource Injection Allows Unauthorized Cross-User Permission Grants
    from 0, < 26.5.7
  • HIGH8.1CVE-2026-2603Keycloak: Unauthorized authentication via disabled SAML Identity Provider
    from 0, < 26.5.5
  • HIGH8.1CVE-2026-3009Keycloak allows authentication using an Identity Provider (IdP) even after it has been disabled by an administrator
    from 0, < 26.5.5
  • HIGH8.1CVE-2026-1529Keycloak affected by improper invitation token validation
    >= 26.5.0, < 26.5.3
  • HIGH8.1CVE-2024-3656Keycloak's admin API allows low privilege users to use administrative functions
    from 0, < 24.0.5
  • HIGH8.1CVE-2024-1132Keycloak path traversal vulnerability in redirection validation
    from 0, < 22.0.10
  • HIGH7.7CVE-2026-2092Keycloak: Unauthorized access via improper validation of encrypted SAML assertions
    >= 26.5.0, < 26.5.5
  • HIGH7.5CVE-2026-4634Keycloak: Application-Level DoS via Scope Processing
    from 0, < 26.5.7
  • HIGH7.5CVE-2024-4540Keycloak exposes sensitive information in Pushed Authorization Requests (PAR)
    from 0, < 24.0.5
  • HIGH7.4CVE-2026-4282Keycloak: Privilege escalation via forged authorization codes due to SingleUseObjectProvider isolation flaw
    from 0, < 26.5.7
  • HIGH7.4CVE-2024-1249Keycloak's unvalidated cross-origin messages in checkLoginIframe leads to DDoS
    from 0, < 22.0.10
  • HIGH7.3CVE-2026-3872Keycloak: Redirect URI validation bypass via ..;/ path traversal in OIDC auth endpoint
    from 0, < 26.5.7
  • HIGH7.1CVE-2024-7341Keycloak has session fixation in Elytron SAML adapters
    from 0, < 22.0.12
  • HIGH7.1CVE-2024-2419Keycloak path traversal vulnerability in the redirect validation
    from 0, < 22.0.10
  • HIGH7.1CVE-2023-6291The redirect_uri validation logic allows for bypassing explicitly allowed hosts that would otherwise be restricted
    from 0, < 23.0.3
  • HIGH7.1CVE-2023-2422Keycloak vulnerable to Improper Client Certificate Validation for OAuth/OpenID clients
    from 0, < 21.1.2
  • MEDIUM6.9CVE-2026-37980Keycloak: Arbitrary code execution via Stored Cross-Site Scripting (XSS) in organization selection login page
    from 0, <= 26.5.5
  • MEDIUM6.5CVE-2026-3121Keycloak: manage-clients permission escalates to full realm admin access
    from 0, < 26.5.6
  • MEDIUM6.5CVE-2025-14559Keycloak services allows the issuance of access and refresh tokens for disabled users
    >= 26.5.0, < 26.5.2
  • MEDIUM6.5CVE-2025-7784Keycloak Privilege Escalation Vulnerability in Admin Console (FGAPv2 Enabled)
    >= 26.2.0, < 26.2.6
  • MEDIUM6.5CVE-2024-10270org.keycloak:keycloak-services has Inefficient Regular Expression Complexity
    from 0, < 24.0.9
  • MEDIUM6.5CVE-2024-4629Keycloak Services has a potential bypass of brute force protection
    from 0, < 22.0.12
  • MEDIUM6.5CVE-2023-6787Keycloak vulnerable to session hijacking via re-authentication
    from 0, < 22.0.10
  • MEDIUM6.4CVE-2022-1438Keycloak vulnerable to Cross-site Scripting
    from 0, <= 21.0.0
  • MEDIUM6.1CVE-2024-8883Keycloak has Vulnerable Redirect URI Validation Results in Open Redirect
    from 0, < 22.0.13
  • MEDIUM6.1CVE-2014-3652JBoss KeyCloak Open Redirect
    from 0, < 1.1.0.Beta1
  • MEDIUM6.0CVE-2025-12390Keycloak vulnerable to session takeovers due to reuse of session identifiers
    from 0, < 26.0.0
  • MEDIUM6.0CVE-2023-6717Keycloak Cross-site Scripting (XSS) via assertion consumer service URL in SAML POST-binding flow
    from 0, < 22.0.10
  • MEDIUM5.4CVE-2026-7500Keycloak has a Forced Browsing issue
    from 0, <= 26.6.1
  • MEDIUM5.4CVE-2025-14778Keycloak Affected by Broken Access Control Vulnerability in the UserManagedPermissionService
    from 0, < 26.2.13
  • MEDIUM5.4CVE-2025-12110Keycloak does not invalidate offline sessions when the offline_access scope is removed
    from 0, < 26.2.3
  • MEDIUM5.4CVE-2025-11429Keycloak does not invalidate sessions when "Remember Me" is disabled
    >= 26.3.0, < 26.4.1
  • MEDIUM5.4CVE-2025-7365Keycloak phishing attack via email verification step in first login flow
    from 0, < 26.0.13
  • MEDIUM5.4CVE-2025-3910Keycloak vulnerable to two factor authentication bypass
    from 0, < 26.2.2
  • MEDIUM5.4CVE-2025-1391Improper Authorization in Keycloak Organization Mapper Allows Unauthorized Organization Claims
    >= 26.1.0, < 26.1.3
  • MEDIUM5.4CVE-2023-6544Keycloak Authorization Bypass vulnerability
    from 0, < 22.0.10
  • MEDIUM5.4CVE-2022-1274HTML Injection in Keycloak Admin REST API
    from 0, < 20.0.5
  • MEDIUM5.4CVE-2018-10894Keycloak Authentication Error
    from 0, < 4.4.0.Final
  • MEDIUM5.3CVE-2026-4325Keycloak: Replay of action tokens via improper handling of single-use entries
    from 0, < 26.5.7
  • MEDIUM5.3CVE-2026-2575Keycloak: Denial of Service due to excessive SAMLRequest decompression
    from 0, < 26.5.4
  • MEDIUM5.3CVE-2025-8419Keycloak SMTP Inject Vulnerability
    from 0, < 26.2.8
  • MEDIUM5.3CVE-2023-6484Keycloak vulnerable to log Injection during WebAuthn authentication or registration
    from 0, < 22.0.9
  • MEDIUM5.3CVE-2021-3424Keycloak is vulnerable to IDN homograph attack
    from 0, < 18.0.0
  • MEDIUM5.0CVE-2023-3597Keycloak secondary factor bypass in step-up authentication
    from 0, < 22.0.10
  • MEDIUM4.9CVE-2025-2559Keycloak Denial of Service (DoS) Vulnerability via JWT Token Cache
    from 0, <= 26.1.4
  • MEDIUM4.8CVE-2020-10776Cross-site Scripting in keycloak
    from 0, < 12.0.0
  • MEDIUM4.6CVE-2023-6134Keycloak vulnerable to reflected XSS via wildcard in OIDC redirect_uri
    from 0, < 23.0.3
  • MEDIUM4.3CVE-2026-3190Keycloak: Missing Role Enforcement on UMA 2.0 Permission Ticket Endpoint Leads to Information Disclosure
    from 0, < 26.5.6
  • MEDIUM4.3CVE-2026-4628Keycloak has Improper Access Control that allows attackers with valid credentials to bypass the allowRemoteResourceManagement=false
    from 0, <= 26.6.0
  • MEDIUM4.3CVE-2014-3655JBoss KeyCloak is vulnerable to soft token deletion via CSRF
    from 0, < 1.0.2.Final
  • MEDIUM4.2CVE-2026-3429Keycloak: Improper Access Control Leading to MFA Deletion and Account Takeover in Keycloak Account REST API
    from 0, <= 26.5.6
  • LOW3.8CVE-2026-2733Keycloak: Missing Check on Disabled Client for Docker Registry Protocol
    from 0, <= 26.5.3
  • LOW3.7CVE-2026-37977Keycloak vulnerable to information disclosure via CORS header injection due to unvalidated JWT azp claim
    from 0, <= 26.5.7
  • LOW3.7CVE-2026-4633Keycloak's identity-first login flow exposes user information
    >= 26.5.0, < 26.6.0
  • LOW3.7CVE-2024-1722Keycloak Denial of Service via account lockout
    from 0, < 24.0.0
  • LOW3.7CVE-2021-3754Keycloak's improper input validation allows using email as username
    from 0, < 24.0.1
  • LOW3.5CVE-2023-2585Client Spoofing within the Keycloak Device Authorisation Grant
    from 0, < 21.1.2
  • LOW3.4CVE-2023-0657Keycloak vulnerable to impersonation via logout token exchange
    from 0, < 22.0.10
  • LOW3.1CVE-2026-4874Keycloak Server-Side Request Forgery via OIDC token endpoint manipulation
    from 0, <= 26.6.0
  • LOW3.1CVE-2025-12150Keycloak REST Services has a WebAuthn Attestation Statement Verification Bypass
    from 0, < 26.4.4
  • LOW3.1CVE-2026-1190Keycloak's missing timestamp validation allows attackers to extend SAML response validity periods
    from 0, <= 26.5.2
  • LOW3.1CVE-2026-1035Keycloak does not validate and update refresh token usage atomically
    from 0, <= 26.2.5
  • LOW2.7CVE-2026-3911Keycloak: Information disclosure of disabled user attributes via administrative endpoint
    from 0, <= 26.5.5
  • LOW2.7CVE-2025-13881Keycloak Admin API allows an administrator with limited privileges to retrieve sensitive custom attributes
    >= 26.5.0, < 26.5.2
  • LOW2.7CVE-2025-14083Keycloak Admin REST API exposes backend schema and rules
    from 0, <= 26.2.5
  • LOW2.7CVE-2025-14082Keycloak Admin REST (Representational State Transfer) API does not properly enforce permissions
    from 0, < 26.5.0
  • CVE-2022-2232Keycloak vulnerable to LDAP Injection on UsernameForm Login
    from 0, < 23.0.1