CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2026-7500 – Org.keycloak.keycloak-services: improper access control on keycloak server when the account account api feature is disabled
https://notcve.org/view.php?id=CVE-2026-7500
30 Apr 2026 — When Keycloak is started with `--features-disabled=account,account-api`, the Account REST API is only partially disabled. Five endpoints under the versioned path `/account/v1alpha1` remain fully functional — including both read and write operations — because they lack the `checkAccountApiEnabled()` gate that correctly blocks four other endpoints in the same REST service class. The user needs to have permissions to use the API. • https://access.redhat.com/security/cve/CVE-2026-7500 • CWE-425: Direct Request ('Forced Browsing') •
CVSS: 7.2EPSS: 0%CPEs: 4EXPL: 0CVE-2026-3121 – Keycloak: org.keycloak/keycloak-services: keycloak: privilege escalation via manage-clients permission
https://notcve.org/view.php?id=CVE-2026-3121
26 Mar 2026 — A flaw was found in Keycloak. An administrator with `manage-clients` permission can exploit a misconfiguration where this permission is equivalent to `manage-permissions`. This allows the administrator to escalate privileges and gain control over roles, users, or other administrative functions within the realm. This privilege escalation can occur when admin permissions are enabled at the realm level. Se encontró un fallo en Keycloak. • https://access.redhat.com/errata/RHSA-2026:6477 • CWE-266: Incorrect Privilege Assignment •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2026-3190 – Keycloak: keycloak: information disclosure via improper role enforcement in uma 2.0 protection api
https://notcve.org/view.php?id=CVE-2026-3190
26 Mar 2026 — A flaw was found in Keycloak. The User-Managed Access (UMA) 2.0 Protection API endpoint for permission tickets fails to enforce the `uma_protection` role check. This allows any authenticated user with a token issued for a resource server client, even without the `uma_protection` role, to enumerate all permission tickets in the system. This vulnerability partial leads to information disclosure. Se encontró una falla en Keycloak. • https://access.redhat.com/errata/RHSA-2026:6477 • CWE-280: Improper Handling of Insufficient Permissions or Privileges •
CVSS: 8.1EPSS: 0%CPEs: 6EXPL: 0CVE-2026-3009 – Org.keycloak/keycloak-services: improper enforcement of disabled identity provider in identitybrokerservice (authentication bypass)
https://notcve.org/view.php?id=CVE-2026-3009
05 Mar 2026 — A security flaw in the IdentityBrokerService.performLogin endpoint of Keycloak allows authentication to proceed using an Identity Provider (IdP) even after it has been disabled by an administrator. An attacker who knows the IdP alias can reuse a previously generated login request to bypass the administrative restriction. This undermines access control enforcement and may allow unauthorized authentication through a disabled external provider. Una falla de seguridad en el endpoint IdentityBrokerService.perfor... • https://access.redhat.com/errata/RHSA-2026:3947 • CWE-285: Improper Authorization CWE-863: Incorrect Authorization •
CVSS: 5.0EPSS: 0%CPEs: 2EXPL: 0CVE-2025-11537 – Keycloak-server: sensitive headers shown in the http access logs
https://notcve.org/view.php?id=CVE-2025-11537
10 Feb 2026 — A flaw was found in Keycloak. When the logging format is configured to a verbose, user-supplied pattern (such as the pre-defined 'long' pattern), sensitive headers including Authorization and Cookie are disclosed to the logs in cleartext. An attacker with read access to the log files can extract these credentials (e.g., bearer tokens, session cookies) and use them to impersonate users, leading to a full account compromise. • https://access.redhat.com/security/cve/CVE-2025-11537 • CWE-117: Improper Output Neutralization for Logs •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2025-14778 – Keycloak: incorrect ownership checks in /uma-policy/
https://notcve.org/view.php?id=CVE-2025-14778
09 Feb 2026 — A flaw was found in Keycloak. A significant Broken Access Control vulnerability exists in the UserManagedPermissionService (UMA Protection API). When updating or deleting a UMA policy associated with multiple resources, the authorization check only verifies the caller's ownership against the first resource in the policy's list. This allows a user (Owner A) who owns one resource (RA) to update a shared policy and modify authorization rules for other resources (e.g., RB) in that same policy, even if those oth... • https://access.redhat.com/errata/RHSA-2026:2363 • CWE-266: Incorrect Privilege Assignment •
CVSS: 8.5EPSS: 0%CPEs: 2EXPL: 1CVE-2026-1529 – Org.keycloak.services.resources.organizations: keycloak: unauthorized organization registration via improper invitation token validation
https://notcve.org/view.php?id=CVE-2026-1529
09 Feb 2026 — A flaw was found in Keycloak. An attacker can exploit this vulnerability by modifying the organization ID and target email within a legitimate invitation token's JSON Web Token (JWT) payload. This lack of cryptographic signature verification allows the attacker to successfully self-register into an unauthorized organization, leading to unauthorized access. • https://packetstorm.news/files/id/215260 • CWE-347: Improper Verification of Cryptographic Signature •
CVSS: 9.0EPSS: 0%CPEs: 2EXPL: 0CVE-2026-1486 – Org.keycloak.protocol.oidc.grants: disabled identity providers are still accepted for jwt authorization grant
https://notcve.org/view.php?id=CVE-2026-1486
09 Feb 2026 — A flaw was found in Keycloak. A vulnerability exists in the jwt-authorization-grant flow where the server fails to verify if an Identity Provider (IdP) is enabled before issuing tokens. The issuer lookup mechanism (lookupIdentityProviderFromIssuer) retrieves the IdP configuration but does not filter for isEnabled=false. If an administrator disables an IdP (e.g., due to a compromise or offboarding), an entity possessing that IdP's signing key can still generate valid JWT assertions that Keycloak accepts, res... • https://access.redhat.com/errata/RHSA-2026:2365 • CWE-358: Improperly Implemented Security Check for Standard •
CVSS: 7.8EPSS: 0%CPEs: 25EXPL: 0CVE-2024-4027 – Undertow: outofmemoryerror in httpservletrequestimpl.getparameternames() can cause remote dos attacks
https://notcve.org/view.php?id=CVE-2024-4027
30 Jan 2026 — A flaw was found in Undertow. Servlets using a method that calls HttpServletRequestImpl.getParameterNames() can cause an OutOfMemoryError when the client sends a request with large parameter names. This issue can be exploited by an unauthorized user to cause a remote denial-of-service (DoS) attack. • https://access.redhat.com/security/cve/CVE-2024-4027 • CWE-20: Improper Input Validation •
CVSS: 3.1EPSS: 0%CPEs: 5EXPL: 0CVE-2026-1190 – Org.keycloak/keycloak-services: keycloak saml brokering: response delay due to unchecked notonorafter in subjectconfirmationdata
https://notcve.org/view.php?id=CVE-2026-1190
26 Jan 2026 — A flaw was found in Keycloak's SAML brokering functionality. When Keycloak is configured as a client in a Security Assertion Markup Language (SAML) setup, it fails to validate the `NotOnOrAfter` timestamp within the `SubjectConfirmationData`. This allows an attacker to delay the expiration of SAML responses, potentially extending the time a response is considered valid and leading to unexpected session durations or resource consumption. • https://access.redhat.com/security/cve/CVE-2026-1190 • CWE-112: Missing XML Validation •