Keycloak

This hub aggregates every CVE we track for Keycloak, a product in the enterprise software space. Use it to gauge the current risk picture and drill into individual advisories.

Enterprise Softwareon-premweb app

126

CVEs tracked

Critical

High

In CISA KEV

Severity distribution

MEDIUM69HIGH39LOW11CRITICAL7

Monthly trend

2024-072026-06

Latest CVEs

See all →

The 15 most recently published vulnerabilities affecting Keycloak.

CVE-2026-7504Org.keycloak/keycloak-services: open redirect when using wildcard valid redirect uris in keycloak8.1May 19, 2026
CVE-2026-7307Keycloak: keycloak: denial of service via specially crafted saml input7.5May 19, 2026
CVE-2026-4636Keycloak: keycloak: uma policy bypass allows authenticated users to gain unauthorized access to victim-owned resources.8.1Apr 2, 2026
CVE-2025-12150Org.keycloak/keycloak-services: webauthn attestation statement verification bypass3.1Feb 27, 2026
CVE-2026-0871Org.keycloak/keycloak-services: keycloak: unauthorized modification of unmanaged user attributes by administrators4.9Feb 27, 2026
CVE-2025-14559Org.keycloak/keycloak-services: keycloak keycloak-services: business logic flaw allows unauthorized token issuance for disabled users6.5Jan 21, 2026
CVE-2025-13467Org.keycloak.storage.ldap: keycloak: deserialization of untrusted data in ldap user federation5.5Nov 25, 2025
CVE-2025-11538Keycloak-server: debug default bind address6.8Nov 13, 2025
CVE-2025-12390Org.keycloak.protocol.oidc.endpoints.logoutendpoint: offline session takeover due to reused authentication session id6.0Oct 28, 2025
CVE-2025-10939Org.keycloak/keycloak-quarkus-server: unable to restrict access to the admin console3.7Oct 28, 2025
CVE-2025-12110Keycloak: org.keycloak:keycloak-services: user can refresh offline session even after client's offline_access scope was removed5.4Oct 23, 2025
CVE-2025-11429Keycloak-server: too long and not settings compliant session5.4Oct 23, 2025
CVE-2025-10044Keycloak: keycloak error_description injection on error pages4.3Sep 5, 2025
CVE-2025-9162Org.keycloak/keycloak-model-storage-service: variable injection into environment variables4.9Aug 21, 2025
CVE-2025-8419Org.keycloak/keycloak-services: keycloak smtp inject vulnerability5.3Aug 6, 2025

Product normalization is registry-driven with AI assist and human review. How it works