CVE Tools

keycloak

Security Productsoss-project

3

Cumulative CVEs

1

Monthly snapshots

#115

Peak rank

Top products

Latest CVEs

The 15 most recently published vulnerabilities affecting keycloak.

CVE-2025-12150Org.keycloak/keycloak-services: webauthn attestation statement verification bypass3.1Feb 27, 2026
CVE-2025-13467Org.keycloak.storage.ldap: keycloak: deserialization of untrusted data in ldap user federation5.5Nov 25, 2025
CVE-2025-11538Keycloak-server: debug default bind address6.8Nov 13, 2025
CVE-2025-12390Org.keycloak.protocol.oidc.endpoints.logoutendpoint: offline session takeover due to reused authentication session id6.0Oct 28, 2025
CVE-2025-10939Org.keycloak/keycloak-quarkus-server: unable to restrict access to the admin console3.7Oct 28, 2025
CVE-2025-12110Keycloak: org.keycloak:keycloak-services: user can refresh offline session even after client's offline_access scope was removed5.4Oct 23, 2025
CVE-2025-11429Keycloak-server: too long and not settings compliant session5.4Oct 23, 2025
CVE-2025-10044Keycloak: keycloak error_description injection on error pages4.3Sep 5, 2025
CVE-2025-9162Org.keycloak/keycloak-model-storage-service: variable injection into environment variables4.9Aug 21, 2025
CVE-2025-8419Org.keycloak/keycloak-services: keycloak smtp inject vulnerability5.3Aug 6, 2025
CVE-2022-4361Keycloak, an open-source identity and access management solution, has a cross-site scripting (XSS) vulnerability in the SAML or OIDC providers. The vulnerability can allow an attacker to execute ma...10.0Jul 7, 2023
CVE-2020-10686A flaw was found in Keycloak version 8.0.2 and 9.0.0, and was fixed in Keycloak version 9.0.1, where a malicious user registers as oneself. The attacker could then use the remove devices form to po...4.1May 4, 2020
CVE-2019-14820It was found that keycloak before version 8.0.0 exposes internal adapter endpoints in org.keycloak.constants.AdapterConstants, which can be invoked via a specially-crafted URL. This vulnerability c...4.3Jan 8, 2020
CVE-2019-14832A flaw was found in the Keycloak REST API before version 8.0.0 where it would permit user access from a realm the user was not configured. An authenticated attacker with knowledge of a user id coul...7.5Oct 15, 2019
CVE-2017-12161It was found that keycloak before 3.4.2 final would permit misuse of a client-side /etc/hosts entry to spoof a URL in a password reset request. An attacker could use this flaw to craft a malicious ...8.8Feb 21, 2018