org.keycloak:keycloak-parent (Maven) — known CVEs & security advisories
Known CVE vulnerabilities and GitHub Security Advisories affecting the Maven package org.keycloak:keycloak-parent, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (25)
CVE-2019-14910 — CVSS 9.8 (critical): A vulnerability was found in keycloak 7.x, when keycloak is configured with LDAP user federation and StartTLS is used instead of SSL/TLS…
CVE-2022-3782 — CVSS 9.1 (critical): keycloak: path traversal via double URL encoding. A flaw was found in Keycloak, where it does not properly validate URLs included in a…
CVE-2019-14909 — CVSS 8.3 (high): A vulnerability was found in Keycloak 7.x where the user federation LDAP bind type is none (LDAP anonymous bind), any password, invalid or…
CVE-2022-4137 — CVSS 8.1 (high): A reflected cross-site scripting (XSS) vulnerability was found in the 'oob' OAuth endpoint due to incorrect null-byte handling. This issue…
CVE-2018-14657 — CVSS 8.1 (high): A flaw was found in Keycloak 4.2.1.Final, 4.3.0.Final. When TOPT enabled, an improper implementation of the Brute Force detection algorithm…
CVE-2021-20222 — CVSS 7.5 (high): A flaw was found in keycloak. The new account console in keycloak can allow malicious code to be executed using the referrer URL. The…
CVE-2021-3513 — CVSS 7.5 (high): A flaw was found in keycloak where a brute force attack is possible even when the permanent lockout feature is enabled. This is due to a…
CVE-2020-10758 — CVSS 7.5 (high): A vulnerability was found in Keycloak before 11.0.1 where DoS attack is possible by sending twenty requests simultaneously to the specified…
CVE-2017-12159 — CVSS 7.5 (high): It was found that the cookie used for CSRF prevention in Keycloak was not unique to each session. An attacker could use this flaw to gain…
CVE-2017-12160 — CVSS 7.2 (high): It was found that Keycloak oauth would permit an authenticated resource to obtain an access/refresh token pair from the authentication…
CVE-2022-2668 — CVSS 7.2 (high): An issue was discovered in Keycloak that allows arbitrary Javascript to be uploaded for the SAML protocol mapper even if the UPLOAD_SCRIPTS…
CVE-2020-1718 — CVSS 7.1 (high): A flaw was found in the reset credential flow in all Keycloak versions before 8.0.0. This flaw allows an attacker to gain unauthorized…
CVE-2021-3461 — CVSS 7.1 (high): A flaw was found in keycloak where keycloak may fail to logout user session if the logout request comes from external SAML identity…
CVE-2022-3916 — CVSS 6.8 (medium): A flaw was found in the offline_access scope in Keycloak. This issue would affect users of shared computers more (especially if cookies are…
CVE-2020-14366 — CVSS 6.8 (medium): A vulnerability was found in keycloak, where path traversal using URL-encoded path segments in the request is possible because the…
CVE-2020-10748 — CVSS 6.1 (medium): A flaw was found in Keycloak's data filter, in version 10.0.1, where it allowed the processing of data URLs in some circumstances. This…
CVE-2017-12158 — CVSS 5.4 (medium): It was found that Keycloak would accept a HOST header URL in the admin console and use it to determine web resource locations. An attacker…
CVE-2020-1725 — CVSS 5.4 (medium): A flaw was found in keycloak before version 13.0.0. In some scenarios a user still has access to a resource after changing the role…
CVE-2026-0707 — CVSS 5.3 (medium): A flaw was found in Keycloak. The Keycloak Authorization header parser is overly permissive regarding the formatting of the "Bearer"…
CVE-2020-1758 — CVSS 5.3 (medium): A flaw was found in Keycloak in versions before 10.0.0, where it does not perform the TLS hostname verification while sending emails using…
CVE-2020-1694 — CVSS 4.9 (medium): A flaw was found in all versions of Keycloak before 10.0.0, where the NodeJS adapter did not support the verify-token-audience. This flaw…
CVE-2018-14655 — CVSS 4.6 (medium): A flaw was found in Keycloak 3.4.3.Final, 4.0.0.Beta2, 4.3.0.Final. When using 'response_mode=form_post' it is possible to inject arbitrary…
CVE-2022-2256 — CVSS 3.8 (low): A Stored Cross-site scripting (XSS) vulnerability was found in keycloak as shipped in Red Hat Single Sign-On 7. This flaw allows a…
CVE-2020-1717 — CVSS 2.7 (low): A flaw was found in Keycloak 7.0.1. A logged in user can do an account email enumeration attack.
CVE-2026-1518 — CVSS 2.7 (low): A flaw was found in Keycloak’s CIBA feature where insufficient validation of client-configured backchannel notification endpoints could…