Redhat Build Of Keycloak vulnerabilities

CVE-2026-3009 [HIGH] CWE-863 CVE-2026-3009: A security flaw in the IdentityBrokerService.performLogin endpoint of Keycloak allows authentication A security flaw in the IdentityBrokerService.performLogin endpoint of Keycloak allows authentication to proceed using an Identity Provider (IdP) even after it has been disabled by an administrator. An attacker who knows the IdP alias can reuse a previously generated login request to bypass the administrative restriction. This undermines access control e

CVE-2026-3047 [HIGH] CWE-305 CVE-2026-3047: A flaw was found in org.keycloak.broker.saml. When a disabled Security Assertion Markup Language (SA A flaw was found in org.keycloak.broker.saml. When a disabled Security Assertion Markup Language (SAML) client is configured as an Identity Provider (IdP)-initiated broker landing target, it can still complete the login process and establish a Single Sign-On (SSO) session. This allows a remote attacker to gain unauthorized access to other enabled client

CVE-2026-0871 [MEDIUM] CWE-266 CVE-2026-0871: A flaw was found in Keycloak. An administrator with `manage-users` permission can bypass the "Only a A flaw was found in Keycloak. An administrator with `manage-users` permission can bypass the "Only administrators can view" setting for unmanaged attributes, allowing them to modify these attributes. This improper access control can lead to unauthorized changes to user profiles, even when the system is configured to restrict such modifications.

CVE-2025-12150 [LOW] CWE-347 CVE-2025-12150: A flaw was found in Keycloak’s WebAuthn registration component. This vulnerability allows an attacke A flaw was found in Keycloak’s WebAuthn registration component. This vulnerability allows an attacker to bypass the configured attestation policy and register untrusted or forged authenticators via submission of an attestation object with fmt: "none", even when the realm is configured to require direct attestation. This can lead to weakened authenticat

CVE-2025-3910 [MEDIUM] CWE-287 CVE-2025-3910: A flaw was found in Keycloak. The org.keycloak.authorization package may be vulnerable to circumvent A flaw was found in Keycloak. The org.keycloak.authorization package may be vulnerable to circumventing required actions, allowing users to circumvent requirements such as setting up two-factor authentication.

CVE-2024-7341 [HIGH] CWE-384 CVE-2024-7341: A session fixation issue was discovered in the SAML adapters provided by Keycloak. The session ID an A session fixation issue was discovered in the SAML adapters provided by Keycloak. The session ID and JSESSIONID cookie are not changed at login time, even when the turnOffChangeSessionIdOnLogin option is configured. This flaw allows an attacker who hijacks the current session before authentication to trigger session fixation.

CVE-2024-7318 [MEDIUM] CWE-324 CVE-2024-7318: A vulnerability was found in Keycloak. Expired OTP codes are still usable when using FreeOTP when th A vulnerability was found in Keycloak. Expired OTP codes are still usable when using FreeOTP when the OTP token period is set to 30 seconds (default). Instead of expiring and deemed unusable around 30 seconds in, the tokens are valid for an additional 30 seconds totaling 1 minute. A one time passcode that is valid longer than its expiration time incre

CVE-2024-7260 [MEDIUM] CWE-601 CVE-2024-7260: An open redirect vulnerability was found in Keycloak. A specially crafted URL can be constructed whe An open redirect vulnerability was found in Keycloak. A specially crafted URL can be constructed where the referrer and referrer_uri parameters are made to trick a user to visit a malicious webpage. A trusted URL can trick users and automation into believing that the URL is safe, when, in fact, it redirects to a malicious server. This issue can result

CVE-2024-4629 [MEDIUM] CWE-837 CVE-2024-4629: A vulnerability was found in Keycloak. This flaw allows attackers to bypass brute force protection b A vulnerability was found in Keycloak. This flaw allows attackers to bypass brute force protection by exploiting the timing of login attempts. By initiating multiple login requests simultaneously, attackers can exceed the configured limits for failed attempts before the system locks them out. This timing loophole enables attackers to make more guesses