org.keycloak:keycloak-server-spi-private (Maven) — known CVEs & security advisories
Known CVE vulnerabilities and GitHub Security Advisories affecting the Maven package org.keycloak:keycloak-server-spi-private, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (5)
CVE-2026-2603 — CVSS 8.1 (high): A flaw was found in Keycloak. A remote attacker could bypass security controls by sending a valid SAML response from an external Identity…
CVE-2026-0871 — CVSS 4.9 (medium): A flaw was found in Keycloak. An administrator with `manage-users` permission can bypass the "Only administrators can view" setting for…
CVE-2020-10776 — CVSS 4.8 (medium): A flaw was found in Keycloak before version 12.0.0, where it is possible to add unsafe schemes for the redirect_uri parameter. This flaw…
CVE-2026-3190 — CVSS 4.3 (medium): A flaw was found in Keycloak. The User-Managed Access (UMA) 2.0 Protection API endpoint for permission tickets fails to enforce the…
CVE-2023-2585 — CVSS 3.5 (low): Keycloak's device authorization grant does not correctly validate the device code and client ID. An attacker client could abuse the missing…