org.keycloak:keycloak-services (Maven) — known CVEs & security advisories
Known CVE vulnerabilities and GitHub Security Advisories affecting the Maven package org.keycloak:keycloak-services, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (83)
CVE-2022-4361 — CVSS 10.0 (critical): Keycloak, an open-source identity and access management solution, has a cross-site scripting (XSS) vulnerability in the SAML or OIDC…
CVE-2022-1245 — CVSS 9.8 (critical): A privilege escalation flaw was found in the token exchange feature of keycloak. Missing authorization allows a client application holding…
CVE-2026-1486 — CVSS 8.8 (high): A flaw was found in Keycloak. A vulnerability exists in the jwt-authorization-grant flow where the server fails to verify if an Identity…
CVE-2021-4133 — CVSS 8.8 (high): A flaw was found in Keycloak in versions from 12.0.0 and before 15.1.1 which allows an attacker with any existing user account to create…
CVE-2014-3709 — CVSS 8.8 (high): The org.keycloak.services.resources.SocialResource.callback method in JBoss KeyCloak before 1.0.3.Final allows remote attackers to conduct…
CVE-2025-3501 — CVSS 8.2 (high): A flaw was found in Keycloak. By setting a verification policy to 'ALL', the trust store certificate verification is skipped, which is…
CVE-2024-1132 — CVSS 8.1 (high): A flaw was found in Keycloak, where it does not properly validate URLs included in a redirect. This issue could allow an attacker to…
CVE-2026-1529 — CVSS 8.1 (high): A flaw was found in Keycloak. An attacker can exploit this vulnerability by modifying the organization ID and target email within a…
CVE-2026-7504 — CVSS 8.1 (high): A flaw was found in Keycloak's URL validation logic during redirect operations. By crafting a malicious request, an attacker could bypass…
CVE-2026-4636 — CVSS 8.1 (high): A flaw was found in Keycloak. An authenticated user with the uma_protection role can bypass User-Managed Access (UMA) policy validation…
CVE-2026-2603 — CVSS 8.1 (high): A flaw was found in Keycloak. A remote attacker could bypass security controls by sending a valid SAML response from an external Identity…
CVE-2024-3656 — CVSS 8.1 (high): A flaw was found in Keycloak. Certain endpoints in Keycloak's admin REST API allow low-privilege users to access administrative…
CVE-2026-3009 — CVSS 8.1 (high): A security flaw in the IdentityBrokerService.performLogin endpoint of Keycloak allows authentication to proceed using an Identity Provider…
CVE-2026-2092 — CVSS 7.7 (high): A flaw was found in Keycloak. Keycloak's Security Assertion Markup Language (SAML) broker endpoint does not properly validate encrypted…
CVE-2024-4540 — CVSS 7.5 (high): A flaw was found in Keycloak in OAuth 2.0 Pushed Authorization Requests (PAR). Client-provided parameters were found to be included in…
CVE-2026-4634 — CVSS 7.5 (high): A flaw was found in Keycloak. An unauthenticated attacker can exploit this vulnerability by sending a specially crafted POST request with…
CVE-2022-2232 — CVSS 7.5 (high): A flaw was found in the Keycloak package. This flaw allows an attacker to utilize an LDAP injection to bypass the username lookup or…
CVE-2026-7507 — CVSS 7.5 (high): A session fixation vulnerability was found in Keycloak's login-actions endpoints. An unauthenticated attacker could exploit this flaw by…
CVE-2024-1249 — CVSS 7.4 (high): A flaw was found in Keycloak's OIDC component in the "checkLoginIframe," which allows unvalidated cross-origin messages. This flaw allows…
CVE-2026-4282 — CVSS 7.4 (high): A flaw was found in Keycloak. The SingleUseObjectProvider, a global key-value store, lacks proper type and namespace isolation. This…
CVE-2026-3872 — CVSS 7.3 (high): A flaw was found in Keycloak. This issue allows an attacker, who controls another path on the same web server, to bypass the allowed path…
CVE-2026-7571 — CVSS 7.1 (high): A flaw was found in Keycloak. A low-privilege user, with knowledge of user credentials and client ID, can bypass a security control…
CVE-2025-7365 — CVSS 7.1 (high): A flaw was found in Keycloak. When an authenticated attacker attempts to merge accounts with another existing account during an identity…
CVE-2024-2419 — CVSS 7.1 (high): A flaw was found in Keycloak's redirect_uri validation logic. This issue may allow a bypass of otherwise explicitly allowed hosts. A…
CVE-2023-6291 — CVSS 7.1 (high): A flaw was found in the redirect_uri validation logic in Keycloak. This issue may allow a bypass of otherwise explicitly allowed hosts. A…
CVE-2024-7341 — CVSS 7.1 (high): A session fixation issue was discovered in the SAML adapters provided by Keycloak. The session ID and JSESSIONID cookie are not changed at…
CVE-2026-37980 — CVSS 6.9 (medium): A flaw was found in Keycloak, specifically in the organization selection login page. A remote attacker with `manage-realm` or…
CVE-2026-37982 — CVSS 6.8 (medium): A flaw was found in Keycloak. This authentication vulnerability allows a remote attacker to replay `ExecuteActionsActionToken` tokens…
CVE-2024-4629 — CVSS 6.5 (medium): A vulnerability was found in Keycloak. This flaw allows attackers to bypass brute force protection by exploiting the timing of login…
CVE-2023-6787 — CVSS 6.5 (medium): A flaw was found in Keycloak that occurs from an error in the re-authentication mechanism within org.keycloak.authentication. This flaw…
CVE-2024-10270 — CVSS 6.5 (medium): A vulnerability was found in the Keycloak-services package. If untrusted data is passed to the SearchQueryUtils method, it could lead to a…
CVE-2026-37979 — CVSS 6.5 (medium): A flaw was found in Keycloak. This access control vulnerability in Keycloak's OpenID Connect (OIDC) token introspection endpoint allows a…
CVE-2025-14559 — CVSS 6.5 (medium): A flaw was found in the keycloak-services component of Keycloak. This vulnerability allows the issuance of access and refresh tokens for…
CVE-2026-3121 — CVSS 6.5 (medium): A flaw was found in Keycloak. An administrator with `manage-clients` permission can exploit a misconfiguration where this permission is…
CVE-2025-7784 — CVSS 6.5 (medium): A flaw was found in the Keycloak identity and access management system when Fine-Grained Admin Permissions(FGAPv2) are enabled. An…
CVE-2022-1438 — CVSS 6.4 (medium): A flaw was found in Keycloak. Under specific circumstances, HTML entities are not sanitized during user impersonation, resulting in a…
CVE-2026-9087 — CVSS 6.4 (medium): A flaw was found in Keycloak. The cross-session verification proof is keyed only by (local userId, idpAlias) and is not bound to the…
CVE-2024-8883 — CVSS 6.1 (medium): A misconfiguration flaw was found in Keycloak. This issue can allow an attacker to redirect users to an arbitrary URL if a 'Valid Redirect…
CVE-2025-12390 — CVSS 6.0 (medium): A flaw was found in Keycloak. In Keycloak where a user can accidentally get access to another user's session if both use the same device…
CVE-2023-6717 — CVSS 6.0 (medium): A flaw was found in the SAML client registration in Keycloak that could allow an administrator to register malicious JavaScript URIs as…
CVE-2023-2422 — CVSS 5.5 (medium): A flaw was found in Keycloak. A Keycloak server configured to support mTLS authentication for OAuth/OpenID clients does not properly verify…
CVE-2025-14778 — CVSS 5.4 (medium): A flaw was found in Keycloak. A significant Broken Access Control vulnerability exists in the UserManagedPermissionService (UMA Protection…
CVE-2018-10894 — CVSS 5.4 (medium): It was found that SAML authentication in Keycloak 3.4.3.Final incorrectly authenticated expired certificates. A malicious user could use…
CVE-2022-1274 — CVSS 5.4 (medium): A flaw was found in Keycloak in the execute-actions-email endpoint. This issue allows arbitrary HTML to be injected into emails sent to…
CVE-2026-8922 — CVSS 5.4 (medium): A flaw was found in Keycloak. When both realm-level and client-level `notBefore` revocation policies are configured, Keycloak's OpenID…
CVE-2023-6544 — CVSS 5.4 (medium): A flaw was found in the Keycloak package. This issue occurs due to a permissive regular expression hardcoded for filtering which allows…
CVE-2025-11429 — CVSS 5.4 (medium): A flaw was found in Keycloak. Keycloak does not immediately enforce the disabling of the "Remember Me" realm setting on existing user…
CVE-2025-12110 — CVSS 5.4 (medium): A flaw was found in Keycloak. An offline session continues to be valid when the offline_access scope is removed from the client. The…
CVE-2025-1391 — CVSS 5.4 (medium): A flaw was found in the Keycloak organization feature, which allows the incorrect assignment of an organization to a user if their username…
CVE-2025-3910 — CVSS 5.4 (medium): A flaw was found in Keycloak. The org.keycloak.authorization package may be vulnerable to circumventing required actions, allowing users to…
CVE-2026-7500 — CVSS 5.4 (medium): When Keycloak is started with `--features-disabled=account,account-api`, the Account REST API is only partially disabled. Five endpoints…
CVE-2026-4325 — CVSS 5.3 (medium): A flaw was found in Keycloak. The SingleUseObjectProvider, a global key-value store, lacks proper type and namespace isolation. This…
CVE-2023-6484 — CVSS 5.3 (medium): A log injection flaw was found in Keycloak. A text string may be injected through the authentication form when using the WebAuthn…
CVE-2021-3754 — CVSS 5.3 (medium): A flaw was found in keycloak where an attacker is able to register himself with the username same as the email ID of any existing user…
CVE-2021-3424 — CVSS 5.3 (medium): A flaw was found in keycloak as shipped in Red Hat Single Sign-On 7.4 where IDN homograph attacks are possible. A malicious user can…
CVE-2026-2575 — CVSS 5.3 (medium): A flaw was found in Keycloak. An unauthenticated remote attacker can trigger an application level Denial of Service (DoS) by sending a…
CVE-2025-8419 — CVSS 5.3 (medium): A vulnerability was found in Keycloak-services. Special characters used during e-mail registration may perform SMTP Injection and…
CVE-2023-3597 — CVSS 5.0 (medium): A flaw was found in Keycloak, where it does not correctly validate its client step-up authentication in org.keycloak.authentication. This…
CVE-2023-0264 — CVSS 5.0 (medium): A flaw was found in Keycloaks OpenID Connect user authentication, which may incorrectly authenticate requests. An authenticated attacker…
CVE-2025-2559 — CVSS 4.9 (medium): A flaw was found in Keycloak. When the configuration uses JWT tokens for authentication, the tokens are cached until expiration. If a…
CVE-2026-37978 — CVSS 4.9 (medium): A flaw was found in Keycloak. A low-privilege administrator with the 'view-clients' role can exploit this by invoking the 'evaluate-scopes'…
CVE-2020-10776 — CVSS 4.8 (medium): A flaw was found in Keycloak before version 12.0.0, where it is possible to add unsafe schemes for the redirect_uri parameter. This flaw…
CVE-2023-6134 — CVSS 4.6 (medium): A flaw was found in Keycloak that prevents certain schemes in redirects, but permits them if a wildcard is appended to the token. This…
CVE-2026-4628 — CVSS 4.3 (medium): A flaw was found in Keycloak. An improper Access Control vulnerability in Keycloak’s User-Managed Access (UMA) resource_set endpoint…
CVE-2026-8830 — CVSS 4.3 (medium): A flaw was found in Keycloak. An authenticated user can bypass configured WebAuthn policies during credential registration by manipulating…
CVE-2026-3190 — CVSS 4.3 (medium): A flaw was found in Keycloak. The User-Managed Access (UMA) 2.0 Protection API endpoint for permission tickets fails to enforce the…
CVE-2026-3429 — CVSS 4.2 (medium): A flaw was identified in the Account REST API of Keycloak that allows a user authenticated at a lower security level to perform sensitive…
CVE-2026-2733 — CVSS 3.8 (low): A flaw was identified in the Docker v2 authentication endpoint of Keycloak, where tokens continue to be issued even after a Docker registry…
CVE-2026-4633 — CVSS 3.7 (low): A flaw was found in Keycloak. A remote attacker can exploit differential error messages during the identity-first login flow when…
CVE-2024-1722 — CVSS 3.7 (low): A flaw was found in Keycloak. In certain conditions, this issue may allow a remote unauthenticated attacker to block other accounts from…
CVE-2026-37977 — CVSS 3.7 (low): A flaw was found in Keycloak. A remote attacker can exploit a Cross-Origin Resource Sharing (CORS) header injection vulnerability in…
CVE-2023-2585 — CVSS 3.5 (low): Keycloak's device authorization grant does not correctly validate the device code and client ID. An attacker client could abuse the missing…
CVE-2023-0657 — CVSS 3.4 (low): A flaw was found in Keycloak. This issue occurs due to improperly enforcing token types when validating signatures locally. This could…
CVE-2026-1035 — CVSS 3.1 (low): A flaw was found in the Keycloak server during refresh token processing, specifically in the TokenManager class responsible for enforcing…
CVE-2025-12150 — CVSS 3.1 (low): A flaw was found in Keycloak’s WebAuthn registration component. This vulnerability allows an attacker to bypass the configured…
CVE-2026-1190 — CVSS 3.1 (low): A flaw was found in Keycloak's SAML brokering functionality. When Keycloak is configured as a client in a Security Assertion Markup…
CVE-2026-4874 — CVSS 3.1 (low): A flaw was found in Keycloak. An authenticated attacker can perform Server-Side Request Forgery (SSRF) by manipulating the…
CVE-2025-14082 — CVSS 2.7 (low): A flaw was found in Keycloak Admin REST (Representational State Transfer) API. This vulnerability allows information disclosure of…
CVE-2025-14083 — CVSS 2.7 (low): A flaw was found in the Keycloak Admin REST API. This vulnerability allows the exposure of backend schema and rules, potentially leading to…
CVE-2026-3911 — CVSS 2.7 (low): A flaw was found in Keycloak. An authenticated user with the view-users role could exploit a vulnerability in the UserResource component…
CVE-2025-13881 — CVSS 2.7 (low): A flaw was found in Keycloak Admin API. This vulnerability allows an administrator with limited privileges to retrieve sensitive custom…