Redhat Keycloak vulnerabilities

CVE-2026-0871 [MEDIUM] CWE-266 CVE-2026-0871: A flaw was found in Keycloak. An administrator with `manage-users` permission can bypass the "Only a A flaw was found in Keycloak. An administrator with `manage-users` permission can bypass the "Only administrators can view" setting for unmanaged attributes, allowing them to modify these attributes. This improper access control can lead to unauthorized changes to user profiles, even when the system is configured to restrict such modifications.

CVE-2025-12150 [LOW] CWE-347 CVE-2025-12150: A flaw was found in Keycloak’s WebAuthn registration component. This vulnerability allows an attacke A flaw was found in Keycloak’s WebAuthn registration component. This vulnerability allows an attacker to bypass the configured attestation policy and register untrusted or forged authenticators via submission of an attestation object with fmt: "none", even when the realm is configured to require direct attestation. This can lead to weakened authenticat

CVE-2024-7341 [HIGH] CWE-384 CVE-2024-7341: A session fixation issue was discovered in the SAML adapters provided by Keycloak. The session ID an A session fixation issue was discovered in the SAML adapters provided by Keycloak. The session ID and JSESSIONID cookie are not changed at login time, even when the turnOffChangeSessionIdOnLogin option is configured. This flaw allows an attacker who hijacks the current session before authentication to trigger session fixation.

CVE-2024-7260 [MEDIUM] CWE-601 CVE-2024-7260: An open redirect vulnerability was found in Keycloak. A specially crafted URL can be constructed whe An open redirect vulnerability was found in Keycloak. A specially crafted URL can be constructed where the referrer and referrer_uri parameters are made to trick a user to visit a malicious webpage. A trusted URL can trick users and automation into believing that the URL is safe, when, in fact, it redirects to a malicious server. This issue can result

CVE-2024-4629 [MEDIUM] CWE-837 CVE-2024-4629: A vulnerability was found in Keycloak. This flaw allows attackers to bypass brute force protection b A vulnerability was found in Keycloak. This flaw allows attackers to bypass brute force protection by exploiting the timing of login attempts. By initiating multiple login requests simultaneously, attackers can exceed the configured limits for failed attempts before the system locks them out. This timing loophole enables attackers to make more guesses

CVE-2023-6787 [MEDIUM] CWE-287 CVE-2023-6787: A flaw was found in Keycloak that occurs from an error in the re-authentication mechanism within org A flaw was found in Keycloak that occurs from an error in the re-authentication mechanism within org.keycloak.authentication. This flaw allows hijacking an active Keycloak session by triggering a new authentication process with the query parameter "prompt=login," prompting the user to re-enter their credentials. If the user cancels this re-authenticat

CVE-2024-1132 [HIGH] CWE-22 CVE-2024-1132: A flaw was found in Keycloak, where it does not properly validate URLs included in a redirect. This A flaw was found in Keycloak, where it does not properly validate URLs included in a redirect. This issue could allow an attacker to construct a malicious request to bypass validation and access other URLs and sensitive information within the domain or conduct further attacks. This flaw affects any client that utilizes a wildcard in the Valid Redirect URI

CVE-2024-1722 [LOW] CWE-645 CVE-2024-1722: A flaw was found in Keycloak. In certain conditions, this issue may allow a remote unauthenticated a A flaw was found in Keycloak. In certain conditions, this issue may allow a remote unauthenticated attacker to block other accounts from logging in.

CVE-2023-6291 [HIGH] CWE-601 CVE-2023-6291: A flaw was found in the redirect_uri validation logic in Keycloak. This issue may allow a bypass of A flaw was found in the redirect_uri validation logic in Keycloak. This issue may allow a bypass of otherwise explicitly allowed hosts. A successful attack may lead to an access token being stolen, making it possible for the attacker to impersonate other users.

CVE-2023-6563 [HIGH] CWE-770 CVE-2023-6563: An unconstrained memory consumption vulnerability was discovered in Keycloak. It can be triggered in An unconstrained memory consumption vulnerability was discovered in Keycloak. It can be triggered in environments which have millions of offline tokens (> 500,000 users with each having at least 2 saved sessions). If an attacker creates two or more user sessions and then open the "consents" tab of the admin User Interface, the UI attempts to load a huge

CVE-2023-6134 [MEDIUM] CWE-79 CVE-2023-6134: A flaw was found in Keycloak that prevents certain schemes in redirects, but permits them if a wildc A flaw was found in Keycloak that prevents certain schemes in redirects, but permits them if a wildcard is appended to the token. This issue could allow an attacker to submit a specially crafted request leading to cross-site scripting (XSS) or further attacks. This flaw is the result of an incomplete fix for CVE-2020-10748.

CVE-2022-3916 [MEDIUM] CWE-384 CVE-2022-3916: A flaw was found in the offline_access scope in Keycloak. This issue would affect users of shared co A flaw was found in the offline_access scope in Keycloak. This issue would affect users of shared computers more (especially if cookies are not cleared), due to a lack of root session validation, and the reuse of session ids across root and user authentication sessions. This enables an attacker to resolve a user session attached to a previously authen

CVE-2023-4918 [HIGH] CWE-256 CVE-2023-4918: A flaw was found in the Keycloak package, more specifically org.keycloak.userprofile. When a user re A flaw was found in the Keycloak package, more specifically org.keycloak.userprofile. When a user registers itself through registration flow, the "password" and "password-confirm" field from the form will occur as regular user attributes. All users and clients with proper rights and roles are able to read users attributes, allowing a malicious user with

CVE-2023-0264 [MEDIUM] CWE-287 CVE-2023-0264: A flaw was found in Keycloaks OpenID Connect user authentication, which may incorrectly authenticate A flaw was found in Keycloaks OpenID Connect user authentication, which may incorrectly authenticate requests. An authenticated attacker who could obtain information from a user request within the same realm could use that data to impersonate the victim and generate new session tokens. This issue could impact confidentiality, integrity, and availabili

CVE-2022-4361 [CRITICAL] CWE-81 CVE-2022-4361: Keycloak, an open-source identity and access management solution, has a cross-site scripting (XSS) v Keycloak, an open-source identity and access management solution, has a cross-site scripting (XSS) vulnerability in the SAML or OIDC providers. The vulnerability can allow an attacker to execute malicious scripts by setting the AssertionConsumerServiceURL value or the redirect_uri.

CVE-2022-1274 [MEDIUM] CWE-80 CVE-2022-1274: A flaw was found in Keycloak in the execute-actions-email endpoint. This issue allows arbitrary HTML A flaw was found in Keycloak in the execute-actions-email endpoint. This issue allows arbitrary HTML to be injected into emails sent to Keycloak users and can be misused to perform phishing or other attacks against users.

CVE-2022-3782 [CRITICAL] CWE-22 CVE-2022-3782: keycloak: path traversal via double URL encoding. A flaw was found in Keycloak, where it does not pr keycloak: path traversal via double URL encoding. A flaw was found in Keycloak, where it does not properly validate URLs included in a redirect. An attacker can use this flaw to construct a malicious request to bypass validation and access other URLs and potentially sensitive information within the domain or possibly conduct further attacks. This fla

CVE-2021-3632 [HIGH] CWE-287 CVE-2021-3632: A flaw was found in Keycloak. This vulnerability allows anyone to register a new security device or A flaw was found in Keycloak. This vulnerability allows anyone to register a new security device or key when there is not a device already registered for any user by using the WebAuthn password-less login flow.

CVE-2021-3856 [MEDIUM] CWE-552 CVE-2021-3856: ClassLoaderTheme and ClasspathThemeResourceProviderFactory allows reading any file available as a re ClassLoaderTheme and ClasspathThemeResourceProviderFactory allows reading any file available as a resource to the classloader. By sending requests for theme resources with a relative path from an external HTTP client, the client will receive the content of random files if available.

CVE-2021-3827 [MEDIUM] CWE-287 CVE-2021-3827: A flaw was found in keycloak, where the default ECP binding flow allows other authentication flows t A flaw was found in keycloak, where the default ECP binding flow allows other authentication flows to be bypassed. By exploiting this behavior, an attacker can bypass the MFA authentication by sending a SOAP request with an AuthnRequest and Authorization header with the user's credentials. The highest threat from this vulnerability is to confidentiali