Org.keycloak:keycloak-core

This hub aggregates every CVE we track for Org.keycloak:keycloak-core, a product in the oss libraries space. Use it to gauge the current risk picture and drill into individual advisories.

Severity distribution

Monthly trend

The 15 most recently published vulnerabilities affecting Org.keycloak:keycloak-core.

• CVE-2024-4028Keycloak-core: stored xss in keycloak when creating a items in admin console3.8Feb 18, 2025
• CVE-2024-10039Keycloak mTLS Authentication Bypass via Reverse Proxy TLS Termination 7.1Nov 25, 2024
• CVE-2023-6841Keycloak: amount of attributes per object is not limited and it may lead to dos7.5Sep 10, 2024
• CVE-2024-7318Keycloak-core: one time passcode (otp) is valid longer than expiration timeseverity4.8Sep 9, 2024
• CVE-2024-7260Keycloak-core: open redirect on account page6.1Sep 9, 2024
• CVE-2023-6927Keycloak: open redirect via "form_post.jwt" jarm response mode4.6Dec 18, 2023
• CVE-2023-4918Plaintext storage of user password8.8Sep 12, 2023
• CVE-2023-1664A flaw was found in Keycloak. This flaw depends on a non-default configuration "Revalidate Client Certificate" to be enabled and the reverse proxy is not validating the certificate before Keycloak....6.5May 26, 2023
• CVE-2023-0105A flaw was found in Keycloak. This flaw allows impersonation and lockout due to the email trust not being handled correctly in Keycloak. An attacker can shadow other users with the same email and l...6.5Jan 11, 2023
• CVE-2023-0091A flaw was found in Keycloak, where it did not properly check client tokens for possible revocation in its client credential flow. This flaw allows an attacker to access or modify potentially sensi...3.8Jan 11, 2023
• CVE-2022-0225A flaw was found in Keycloak. This flaw allows a privileged attacker to use the malicious payload as the group name while creating a new group from the admin console, leading to a stored Cross-site...5.4Aug 26, 2022
• CVE-2021-3632A flaw was found in Keycloak. This vulnerability allows anyone to register a new security device or key when there is not a device already registered for any user by using the WebAuthn password-les...7.5Aug 26, 2022
• CVE-2021-3856ClassLoaderTheme and ClasspathThemeResourceProviderFactory allows reading any file available as a resource to the classloader. By sending requests for theme resources with a relative path from an e...4.3Aug 26, 2022
• CVE-2020-35509A flaw was found in keycloak affecting versions 11.0.3 and 12.0.0. An expired certificate would be accepted by the direct-grant authenticator because of missing time stamp validations. The highest ...5.4Aug 23, 2022
• CVE-2022-1466Due to improper authorization, Red Hat Single Sign-On is vulnerable to users performing actions that they should not be allowed to perform. It was possible to add users to the master realm even tho...6.5Apr 26, 2022