Org.keycloak:keycloak-services
This hub aggregates every CVE we track for Org.keycloak:keycloak-services, a product in the oss libraries space. Use it to gauge the current risk picture and drill into individual advisories.
57
CVEs tracked
2
Critical
15
High
0
In CISA KEV
Severity distribution
MEDIUM29HIGH15LOW11CRITICAL2
Monthly trend
0
0
3
1
3
0
0
1
1
2
0
0
2
1
0
3
0
1
4
6
2
0
0
0
2024-072026-06
Latest CVEs
The 15 most recently published vulnerabilities affecting Org.keycloak:keycloak-services.
- CVE-2026-3911Org.keycloak.services.resources.admin.userresource: keycloak: information disclosure of disabled user attributes via administrative endpoint2.7
- CVE-2026-3009Org.keycloak/keycloak-services: improper enforcement of disabled identity provider in identitybrokerservice (authentication bypass)8.1
- CVE-2025-12150Org.keycloak/keycloak-services: webauthn attestation statement verification bypass3.1
- CVE-2026-2733Org.keycloak/keycloak-services: keycloak: missing check on disabled client for docker registry protocol3.8
- CVE-2025-14778Keycloak: incorrect ownership checks in /uma-policy/5.4
- CVE-2026-1529Org.keycloak.services.resources.organizations: keycloak: unauthorized organization registration via improper invitation token validation8.1
- CVE-2026-1486Org.keycloak.protocol.oidc.grants: disabled identity providers are still accepted for jwt authorization grant8.8
- CVE-2025-13881Org.keycloak.services.resources.admin: keycloak: limited administrator can retrieve sensitive user attributes via admin api2.7
- CVE-2026-1190Org.keycloak/keycloak-services: keycloak saml brokering: response delay due to unchecked notonorafter in subjectconfirmationdata3.1
- CVE-2025-14083Keycloak-server: keycloak: improper access control in admin rest api leads to information disclosure2.7
- CVE-2025-14559Org.keycloak/keycloak-services: keycloak keycloak-services: business logic flaw allows unauthorized token issuance for disabled users6.5
- CVE-2026-1035Org.keycloak.protocol.oidc: keycloak refresh token reuse bypass via toctou race condition3.1
- CVE-2025-14082Keycloak-services: keycloak admin rest api: improper access control leads to sensitive role metadata information disclosure2.7
- CVE-2025-12390Org.keycloak.protocol.oidc.endpoints.logoutendpoint: offline session takeover due to reused authentication session id6.0
- CVE-2025-12110Keycloak: org.keycloak:keycloak-services: user can refresh offline session even after client's offline_access scope was removed5.4
Product normalization is registry-driven with AI assist and human review. How it works