Every CVE whose affected-product data names Redhat Keycloak, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (98)
CVE-2022-4361 — CVSS 10.0 (critical): Keycloak, an open-source identity and access management solution, has a cross-site scripting (XSS) vulnerability in the SAML or OIDC…
CVE-2022-1245 — CVSS 9.8 (critical): A privilege escalation flaw was found in the token exchange feature of keycloak. Missing authorization allows a client application holding…
CVE-2019-14910 — CVSS 9.8 (critical): A vulnerability was found in keycloak 7.x, when keycloak is configured with LDAP user federation and StartTLS is used instead of SSL/TLS…
CVE-2021-20195 — CVSS 9.6 (critical): A flaw was found in keycloak in versions before 13.0.0. A Self Stored XSS attack vector escalating to a complete account takeover is…
CVE-2019-14837 — CVSS 9.1 (critical): A flaw was found in keycloack before version 8.0.0. The owner of 'placeholder.org' domain can setup mail server on this domain and knowing…
CVE-2022-3782 — CVSS 9.1 (critical): keycloak: path traversal via double URL encoding. A flaw was found in Keycloak, where it does not properly validate URLs included in a…
CVE-2023-4918 — CVSS 8.8 (high): A flaw was found in the Keycloak package, more specifically org.keycloak.userprofile. When a user registers itself through registration…
CVE-2019-10199 — CVSS 8.8 (high): It was found that Keycloak's account console, up to 6.0.1, did not perform adequate header checks in some requests. An attacker could use…
CVE-2026-3047 — CVSS 8.8 (high): A flaw was found in org.keycloak.broker.saml. When a disabled Security Assertion Markup Language (SAML) client is configured as an Identity…
CVE-2021-4133 — CVSS 8.8 (high): A flaw was found in Keycloak in versions from 12.0.0 and before 15.1.1 which allows an attacker with any existing user account to create…
CVE-2020-1714 — CVSS 8.8 (high): A flaw was found in Keycloak before version 11.0.0, where the code base contains usages of ObjectInputStream without type checks. This flaw…
CVE-2019-14909 — CVSS 8.3 (high): A vulnerability was found in Keycloak 7.x where the user federation LDAP bind type is none (LDAP anonymous bind), any password, invalid or…
CVE-2018-14657 — CVSS 8.1 (high): A flaw was found in Keycloak 4.2.1.Final, 4.3.0.Final. When TOPT enabled, an improper implementation of the Brute Force detection algorithm…
CVE-2020-14389 — CVSS 8.1 (high): It was found that Keycloak before version 12.0.0 would permit a user with only view-profile role to manage the resources in the new account…
CVE-2022-4137 — CVSS 8.1 (high): A reflected cross-site scripting (XSS) vulnerability was found in the 'oob' OAuth endpoint due to incorrect null-byte handling. This issue…
CVE-2024-1132 — CVSS 8.1 (high): A flaw was found in Keycloak, where it does not properly validate URLs included in a redirect. This issue could allow an attacker to…
CVE-2019-10201 — CVSS 8.1 (high): It was found that Keycloak's SAML broker, versions up to 6.0.1, did not verify missing message signatures. If an attacker modifies the SAML…
CVE-2023-6563 — CVSS 7.7 (high): An unconstrained memory consumption vulnerability was discovered in Keycloak. It can be triggered in environments which have millions of…
CVE-2021-20222 — CVSS 7.5 (high): A flaw was found in keycloak. The new account console in keycloak can allow malicious code to be executed using the referrer URL. The…
CVE-2017-2646 — CVSS 7.5 (high): It was found that when Keycloak before 2.5.5 receives a Logout request with a Extensions in the middle of the request, the…
CVE-2023-6841 — CVSS 7.5 (high): A denial of service vulnerability was found in keycloak where the amount of attributes per object is not limited,an attacker by sending…
CVE-2019-14832 — CVSS 7.5 (high): A flaw was found in the Keycloak REST API before version 8.0.0 where it would permit user access from a realm the user was not configured…
CVE-2020-10758 — CVSS 7.5 (high): A vulnerability was found in Keycloak before 11.0.1 where DoS attack is possible by sending twenty requests simultaneously to the specified…
CVE-2021-3637 — CVSS 7.5 (high): A flaw was found in keycloak-model-infinispan in keycloak versions before 14.0.0 where authenticationSessions map in RootAuthenticationSessi…
CVE-2021-3632 — CVSS 7.5 (high): A flaw was found in Keycloak. This vulnerability allows anyone to register a new security device or key when there is not a device already…
CVE-2021-3513 — CVSS 7.5 (high): A flaw was found in keycloak where a brute force attack is possible even when the permanent lockout feature is enabled. This is due to a…
CVE-2021-20202 — CVSS 7.3 (high): A flaw was found in keycloak. Directories can be created prior to the Java process creating them in the temporary directory, but with wider…
CVE-2022-2668 — CVSS 7.2 (high): An issue was discovered in Keycloak that allows arbitrary Javascript to be uploaded for the SAML protocol mapper even if the UPLOAD_SCRIPTS…
CVE-2017-12160 — CVSS 7.2 (high): It was found that Keycloak oauth would permit an authenticated resource to obtain an access/refresh token pair from the authentication…
CVE-2021-3461 — CVSS 7.1 (high): A flaw was found in keycloak where keycloak may fail to logout user session if the logout request comes from external SAML identity…
CVE-2024-7341 — CVSS 7.1 (high): A session fixation issue was discovered in the SAML adapters provided by Keycloak. The session ID and JSESSIONID cookie are not changed at…
CVE-2025-7365 — CVSS 7.1 (high): A flaw was found in Keycloak. When an authenticated attacker attempts to merge accounts with another existing account during an identity…
CVE-2020-1718 — CVSS 7.1 (high): A flaw was found in the reset credential flow in all Keycloak versions before 8.0.0. This flaw allows an attacker to gain unauthorized…
CVE-2023-6291 — CVSS 7.1 (high): A flaw was found in the redirect_uri validation logic in Keycloak. This issue may allow a bypass of otherwise explicitly allowed hosts. A…
CVE-2020-14366 — CVSS 6.8 (medium): A vulnerability was found in keycloak, where path traversal using URL-encoded path segments in the request is possible because the…
CVE-2021-3827 — CVSS 6.8 (medium): A flaw was found in keycloak, where the default ECP binding flow allows other authentication flows to be bypassed. By exploiting this…
CVE-2022-3916 — CVSS 6.8 (medium): A flaw was found in the offline_access scope in Keycloak. This issue would affect users of shared computers more (especially if cookies are…
CVE-2021-20262 — CVSS 6.8 (medium): A flaw was found in Keycloak 12.0.0 where re-authentication does not occur while updating the password. This flaw allows an attacker to…
CVE-2019-10170 — CVSS 6.6 (medium): A flaw was found in the Keycloak admin console, where the realm management interface permits a script to be set via the policy. This flaw…
CVE-2019-10169 — CVSS 6.6 (medium): A flaw was found in Keycloak’s user-managed access interface, where it would permit a script to be set in the UMA policy. This flaw…
CVE-2020-27838 — CVSS 6.5 (medium): A flaw was found in keycloak in versions prior to 13.0.0. The client registration endpoint allows fetching information about PUBLIC clients…
CVE-2016-8629 — CVSS 6.5 (medium): Red Hat Keycloak before version 2.4.0 did not correctly check permissions when handling service account user deletion requests sent to the…
CVE-2017-2582 — CVSS 6.5 (medium): It was found that while parsing the SAML messages the StaxParserUtil class of keycloak before 2.5.1 replaces special strings for obtaining…
CVE-2019-3875 — CVSS 6.5 (medium): A vulnerability was found in keycloak before 6.0.2. The X.509 authenticator supports the verification of client certificates through the…
CVE-2022-1466 — CVSS 6.5 (medium): Due to improper authorization, Red Hat Single Sign-On is vulnerable to users performing actions that they should not be allowed to perform…
CVE-2023-0105 — CVSS 6.5 (medium): A flaw was found in Keycloak. This flaw allows impersonation and lockout due to the email trust not being handled correctly in Keycloak. An…
CVE-2023-1664 — CVSS 6.5 (medium): A flaw was found in Keycloak. This flaw depends on a non-default configuration "Revalidate Client Certificate" to be enabled and the…
CVE-2023-6787 — CVSS 6.5 (medium): A flaw was found in Keycloak that occurs from an error in the re-authentication mechanism within org.keycloak.authentication. This flaw…
CVE-2024-4629 — CVSS 6.5 (medium): A vulnerability was found in Keycloak. This flaw allows attackers to bypass brute force protection by exploiting the timing of login…
CVE-2022-1438 — CVSS 6.4 (medium): A flaw was found in Keycloak. Under specific circumstances, HTML entities are not sanitized during user impersonation, resulting in a…
CVE-2020-1727 — CVSS 6.4 (medium): A vulnerability was found in Keycloak before 9.0.2, where every Authorization URL that points to an IDP server lacks proper input…
CVE-2020-1697 — CVSS 6.1 (medium): It was found in all keycloak versions before 9.0.0 that links to external applications (Application Links) in the admin console are not…
CVE-2020-10748 — CVSS 6.1 (medium): A flaw was found in Keycloak's data filter, in version 10.0.1, where it allowed the processing of data URLs in some circumstances. This…
CVE-2018-14658 — CVSS 6.1 (medium): A flaw was found in JBOSS Keycloak 3.2.1.Final. The Redirect URL for both Login and Logout are not normalized in org.keycloak.protocol.oidc…
CVE-2018-14637 — CVSS 6.1 (medium): The SAML broker consumer endpoint in Keycloak before version 4.6.0.Final ignores expiration conditions on SAML assertions. An attacker can…
CVE-2024-7260 — CVSS 6.1 (medium): An open redirect vulnerability was found in Keycloak. A specially crafted URL can be constructed where the referrer and referrer_uri…
CVE-2017-2585 — CVSS 5.9 (medium): Red Hat Keycloak before version 2.5.1 has an implementation of HMAC verification for JWS tokens that uses a method that runs in…
CVE-2023-48795 — CVSS 5.9 (medium): The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to…
CVE-2020-1744 — CVSS 5.6 (medium): A flaw was found in keycloak before version 9.0.1. When configuring an Conditional OTP Authentication Flow as a post login flow of an IDP…
CVE-2023-2422 — CVSS 5.5 (medium): A flaw was found in Keycloak. A Keycloak server configured to support mTLS authentication for OAuth/OpenID clients does not properly verify…
CVE-2018-10894 — CVSS 5.4 (medium): It was found that SAML authentication in Keycloak 3.4.3.Final incorrectly authenticated expired certificates. A malicious user could use…
CVE-2020-35509 — CVSS 5.4 (medium): A flaw was found in keycloak affecting versions 11.0.3 and 12.0.0. An expired certificate would be accepted by the direct-grant…
CVE-2022-0225 — CVSS 5.4 (medium): A flaw was found in Keycloak. This flaw allows a privileged attacker to use the malicious payload as the group name while creating a new…
CVE-2022-1274 — CVSS 5.4 (medium): A flaw was found in Keycloak in the execute-actions-email endpoint. This issue allows arbitrary HTML to be injected into emails sent to…
CVE-2020-1725 — CVSS 5.4 (medium): A flaw was found in keycloak before version 13.0.0. In some scenarios a user still has access to a resource after changing the role…
CVE-2020-1758 — CVSS 5.3 (medium): A flaw was found in Keycloak in versions before 10.0.0, where it does not perform the TLS hostname verification while sending emails using…
CVE-2020-10770 — CVSS 5.3 (medium): A flaw was found in Keycloak before 13.0.0, where it is possible to force the server to call out an unverified URL using the OIDC parameter…
CVE-2021-3754 — CVSS 5.3 (medium): A flaw was found in keycloak where an attacker is able to register himself with the username same as the email ID of any existing user…
CVE-2025-8419 — CVSS 5.3 (medium): A vulnerability was found in Keycloak-services. Special characters used during e-mail registration may perform SMTP Injection and…
CVE-2023-0264 — CVSS 5.0 (medium): A flaw was found in Keycloaks OpenID Connect user authentication, which may incorrectly authenticate requests. An authenticated attacker…
CVE-2020-1698 — CVSS 5.0 (medium): A flaw was found in keycloak in versions before 9.0.0. A logged exception in the HttpMethod class may leak the password given as parameter…
CVE-2020-1694 — CVSS 4.9 (medium): A flaw was found in all versions of Keycloak before 10.0.0, where the NodeJS adapter did not support the verify-token-audience. This flaw…
CVE-2018-10912 — CVSS 4.9 (medium): keycloak before version 4.0.0.final is vulnerable to a infinite loop in session replacement. A Keycloak cluster with multiple nodes could…
CVE-2026-0871 — CVSS 4.9 (medium): A flaw was found in Keycloak. An administrator with `manage-users` permission can bypass the "Only administrators can view" setting for…
CVE-2020-14302 — CVSS 4.9 (medium): A flaw was found in Keycloak before 13.0.0 where an external identity provider, after successful authentication, redirects to a Keycloak…
CVE-2020-10776 — CVSS 4.8 (medium): A flaw was found in Keycloak before version 12.0.0, where it is possible to add unsafe schemes for the redirect_uri parameter. This flaw…
CVE-2020-1728 — CVSS 4.8 (medium): A vulnerability was found in all versions of Keycloak where, the pages on the Admin Console area of the application are completely missing…
CVE-2019-10157 — CVSS 4.7 (medium): It was found that Keycloak's Node.js adapter before version 4.8.3 did not properly verify the web token received from the server in its…
CVE-2023-6927 — CVSS 4.6 (medium): A flaw was found in Keycloak. This issue may allow an attacker to steal authorization codes or tokens from clients using a wildcard in the…
CVE-2023-6134 — CVSS 4.6 (medium): A flaw was found in Keycloak that prevents certain schemes in redirects, but permits them if a wildcard is appended to the token. This…
CVE-2018-14655 — CVSS 4.6 (medium): A flaw was found in Keycloak 3.4.3.Final, 4.0.0.Beta2, 4.3.0.Final. When using 'response_mode=form_post' it is possible to inject arbitrary…
CVE-2019-14820 — CVSS 4.3 (medium): It was found that keycloak before version 8.0.0 exposes internal adapter endpoints in org.keycloak.constants.AdapterConstants, which can be…
CVE-2016-8627 — CVSS 4.3 (medium): admin-cli before versions 3.0.0.alpha25, 2.2.1.cr2 is vulnerable to an EAP feature to download server log files that allows logs to be…
CVE-2020-1724 — CVSS 4.3 (medium): A flaw was found in Keycloak in versions before 9.0.2. This flaw allows a malicious user that is currently logged in, to see the personal…
CVE-2021-3856 — CVSS 4.3 (medium): ClassLoaderTheme and ClasspathThemeResourceProviderFactory allows reading any file available as a resource to the classloader. By sending…
CVE-2020-27826 — CVSS 4.2 (medium): A flaw was found in Keycloak before version 12.0.0 where it is possible to update the user's metadata attributes using Account REST API…
CVE-2020-10686 — CVSS 4.1 (medium): A flaw was found in Keycloak version 8.0.2 and 9.0.0, and was fixed in Keycloak version 9.0.1, where a malicious user registers as oneself…
CVE-2019-3868 — CVSS 3.8 (low): Keycloak up to version 6.0.0 allows the end user token (access or id token JWT) to be used as the session cookie for browser sessions for…
CVE-2023-0091 — CVSS 3.8 (low): A flaw was found in Keycloak, where it did not properly check client tokens for possible revocation in its client credential flow. This…
CVE-2024-1722 — CVSS 3.7 (low): A flaw was found in Keycloak. In certain conditions, this issue may allow a remote unauthenticated attacker to block other accounts from…
CVE-2016-8609 — CVSS 3.7 (low): It was found that the keycloak before 2.3.0 did not implement authentication flow correctly. An attacker could use this flaw to construct a…
CVE-2020-10734 — CVSS 3.3 (low): A vulnerability was found in keycloak in the way that the OIDC logout endpoint does not have CSRF protection. Versions shipped with Red Hat…
CVE-2025-12150 — CVSS 3.1 (low): A flaw was found in Keycloak’s WebAuthn registration component. This vulnerability allows an attacker to bypass the configured…
CVE-2020-1717 — CVSS 2.7 (low): A flaw was found in Keycloak 7.0.1. A logged in user can do an account email enumeration attack.
CVE-2025-5416 — CVSS 2.7 (low): A vulnerability has been identified in Keycloak that could lead to unauthorized information disclosure. While it requires an already…