CVSS: 6.1EPSS: %CPEs: 2EXPL: 0CVE-2025-9162 – Org.keycloak/keycloak-model-storage-service: variable injection into environment variables
https://notcve.org/view.php?id=CVE-2025-9162
21 Aug 2025 — A flaw was found in org.keycloak/keycloak-model-storage-service. The KeycloakRealmImport custom resource substitutes placeholders within imported realm documents, potentially referencing environment variables. This substitution process allows for injection attacks when crafted realm documents are processed. An attacker can leverage this to inject malicious content during the realm import procedure. This can lead to unintended consequences within the Keycloak environment. • https://access.redhat.com/security/cve/CVE-2025-9162 • CWE-526: Cleartext Storage of Sensitive Information in an Environment Variable •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2025-8419 – Org.keycloak/keycloak-services: keycloak smtp inject vulnerability
https://notcve.org/view.php?id=CVE-2025-8419
06 Aug 2025 — A vulnerability was found in Keycloak-services. Special characters used during e-mail registration may perform SMTP Injection and unexpectedly send short unwanted e-mails. The email is limited to 64 characters (limited local part of the email), so the attack is limited to very shorts emails (subject and little data, the example is 60 chars). This flaw's only direct consequence is an unsolicited email being sent from the Keycloak server. However, this action could be a precursor for more sophisticated attack... • https://access.redhat.com/security/cve/CVE-2025-8419 • CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection') •
CVSS: 7.7EPSS: 0%CPEs: 5EXPL: 0CVE-2025-7784 – Org.keycloak/keycloak-services: privilege escalation in keycloak admin console (fgapv2 enabled)
https://notcve.org/view.php?id=CVE-2025-7784
18 Jul 2025 — A flaw was found in the Keycloak identity and access management system when Fine-Grained Admin Permissions(FGAPv2) are enabled. An administrative user with the manage-users role can escalate their privileges to realm-admin due to improper privilege enforcement. This vulnerability allows unauthorized elevation of access rights, compromising the intended separation of administrative duties and posing a security risk to the realm. • https://access.redhat.com/security/cve/CVE-2025-7784 • CWE-269: Improper Privilege Management •
CVSS: 5.6EPSS: 0%CPEs: 2EXPL: 0CVE-2025-7365 – Keycloak: phishing attack via email verification step in first login flow
https://notcve.org/view.php?id=CVE-2025-7365
10 Jul 2025 — A flaw was found in Keycloak. When an authenticated attacker attempts to merge accounts with another existing account during an identity provider (IdP) login, the attacker will subsequently be prompted to "review profile" information. This vulnerability allows the attacker to modify their email address to match that of a victim's account, triggering a verification email sent to the victim's email address. The attacker's email address is not present in the verification email content, making it a potential ph... • https://access.redhat.com/security/cve/CVE-2025-7365 • CWE-346: Origin Validation Error •
CVSS: 3.3EPSS: 0%CPEs: 3EXPL: 0CVE-2025-5416 – Keycloak-core: keycloak environment information
https://notcve.org/view.php?id=CVE-2025-5416
20 Jun 2025 — A vulnerability has been identified in Keycloak that could lead to unauthorized information disclosure. While it requires an already authenticated user, the /admin/serverinfo endpoint can inadvertently provide sensitive environment information. • https://access.redhat.com/security/cve/CVE-2025-5416 • CWE-497: Exposure of Sensitive System Information to an Unauthorized Control Sphere •
CVSS: 6.4EPSS: 0%CPEs: 2EXPL: 0CVE-2025-3910 – Org.keycloak.authentication: two factor authentication bypass
https://notcve.org/view.php?id=CVE-2025-3910
29 Apr 2025 — A flaw was found in Keycloak. The org.keycloak.authorization package may be vulnerable to circumventing required actions, allowing users to circumvent requirements such as setting up two-factor authentication. • https://access.redhat.com/errata/RHSA-2025:4335 • CWE-287: Improper Authentication •
CVSS: 8.5EPSS: 0%CPEs: 3EXPL: 0CVE-2025-3501 – Org.keycloak.protocol.services: keycloak hostname verification
https://notcve.org/view.php?id=CVE-2025-3501
29 Apr 2025 — A flaw was found in Keycloak. By setting a verification policy to 'ALL', the trust store certificate verification is skipped, which is unintended. • https://access.redhat.com/errata/RHSA-2025:4335 • CWE-297: Improper Validation of Certificate with Host Mismatch •
CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 0CVE-2025-2559 – Org.keycloak/keycloak-services: jwt token cache exhaustion leading to denial of service (dos) in keycloak
https://notcve.org/view.php?id=CVE-2025-2559
25 Mar 2025 — A flaw was found in Keycloak. When the configuration uses JWT tokens for authentication, the tokens are cached until expiration. If a client uses JWT tokens with an excessively long expiration time, for example, 24 or 48 hours, the cache can grow indefinitely, leading to an OutOfMemoryError. This issue could result in a denial of service condition, preventing legitimate users from accessing the system. New images are available for Red Hat build of Keycloak 26.0.11 and Red Hat build of Keycloak 26.0.11 Opera... • https://access.redhat.com/security/cve/CVE-2025-2559 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 8.1EPSS: 0%CPEs: 12EXPL: 0CVE-2025-23368 – Org.wildfly.core:wildfly-elytron-integration: wildfly elytron brute force attack via cli
https://notcve.org/view.php?id=CVE-2025-23368
04 Mar 2025 — A flaw was found in Wildfly Elytron integration. The component does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame, making it more susceptible to brute force attacks via CLI. • https://access.redhat.com/security/cve/CVE-2025-23368 • CWE-307: Improper Restriction of Excessive Authentication Attempts •
CVSS: 4.7EPSS: 0%CPEs: 3EXPL: 0CVE-2024-4028 – Keycloak-core: stored xss in keycloak when creating a items in admin console
https://notcve.org/view.php?id=CVE-2024-4028
18 Feb 2025 — A vulnerability was found in Keycloak. This issue may allow a privileged attacker to use a malicious payload as the permission while creating items (Resource and Permissions) from the admin console, leading to a stored cross-site scripting (XSS) attack. • https://access.redhat.com/security/cve/CVE-2024-4028 • CWE-20: Improper Input Validation •