Red hat build of keycloak

This hub aggregates every CVE we track for Red hat build of keycloak, a product in the web cms plugins space. Use it to gauge the current risk picture and drill into individual advisories.

Severity distribution

Monthly trend

The 15 most recently published vulnerabilities affecting Red hat build of keycloak.

• CVE-2026-11986Keycloak-rest-admin-ui-ext: authorization bypass vulnerability in the admin-ui-ext bulk role-mapping-delete endpoints of keycloak4.9Jun 11, 2026
• CVE-2026-11577Keycloak: keycloak: privilege escalation via partialimport fgap permission bypass7.2Jun 8, 2026
• CVE-2026-9798Keycloak: keycloak: brute-force protection bypass in ciba flow4.3May 28, 2026
• CVE-2026-9796Keycloak: keycloak: privilege escalation via time-of-check to time-of-use (toctou) vulnerability6.5May 28, 2026
• CVE-2026-9795Keycloak: keycloak: privilege escalation via improper scope mapping enforcement7.3May 28, 2026
• CVE-2026-9793Keycloak: keycloak: security policy bypass in jwe-encrypted request object processing5.9May 28, 2026
• CVE-2026-9689Keycloak: org.keycloak.protocol.oidc: http parameter pollution in oidc redirect uri allows response parameter duplication - #ghi-6044.2May 27, 2026
• CVE-2026-37980Org.keycloak.forms.login: keycloak: keycloak: arbitrary code execution via stored cross-site scripting (xss) in organization selection login page6.9Apr 14, 2026
• CVE-2026-4636Keycloak: keycloak: uma policy bypass allows authenticated users to gain unauthorized access to victim-owned resources.8.1Apr 2, 2026
• CVE-2026-4874Org.keycloak.protocol.oidc.grants: org.keycloak.services.managers: keycloak: server-side request forgery via oidc token endpoint manipulation3.1Mar 26, 2026
• CVE-2026-4633Keycloak: keycloak: user enumeration via differential error messages3.7Mar 23, 2026
• CVE-2026-4628Keycloak: org.keycloak.authorization: keycloak: unauthorized resource modification due to improper access control4.3Mar 23, 2026
• CVE-2026-4366Keycloak-services: blind server-side request forgery (ssrf) via http redirect handling in keycloak5.8Mar 18, 2026
• CVE-2026-3429Org.keycloak.services.resources.account: improper access control leading to mfa deletion and account takeover in keycloak account rest api4.2Mar 11, 2026
• CVE-2026-2733Org.keycloak/keycloak-services: keycloak: missing check on disabled client for docker registry protocol3.8Feb 19, 2026