CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-13467 – Org.keycloak.storage.ldap: keycloak: deserialization of untrusted data in ldap user federation
https://notcve.org/view.php?id=CVE-2025-13467
25 Nov 2025 — A flaw was found in the Keycloak LDAP User Federation provider. This vulnerability allows an authenticated realm administrator to trigger deserialization of untrusted Java objects via a malicious LDAP server configuration. • https://access.redhat.com/errata/RHSA-2025:22089 • CWE-502: Deserialization of Untrusted Data •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-11538 – Keycloak-server: debug default bind address
https://notcve.org/view.php?id=CVE-2025-11538
13 Nov 2025 — A vulnerability exists in Keycloak's server distribution where enabling debug mode (--debug <port>) insecurely defaults to binding the Java Debug Wire Protocol (JDWP) port to all network interfaces (0.0.0.0). This exposes the debug port to the local network, allowing an attacker on the same network segment to attach a remote debugger and achieve remote code execution within the Keycloak Java virtual machine. • https://access.redhat.com/errata/RHSA-2025:21370 • CWE-1327: Binding to an Unrestricted IP Address •
CVSS: 6.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-12390 – Org.keycloak.protocol.oidc.endpoints.logoutendpoint: offline session takeover due to reused authentication session id
https://notcve.org/view.php?id=CVE-2025-12390
28 Oct 2025 — A flaw was found in Keycloak. In Keycloak where a user can accidentally get access to another user's session if both use the same device and browser. This happens because Keycloak sometimes reuses session identifiers and doesn’t clean up properly during logout when browser cookies are missing. As a result, one user may receive tokens that belong to another user. • https://access.redhat.com/security/cve/CVE-2025-12390 • CWE-384: Session Fixation •
CVSS: 3.7EPSS: 0%CPEs: 1EXPL: 0CVE-2025-10939 – Org.keycloak/keycloak-quarkus-server: unable to restrict access to the admin console
https://notcve.org/view.php?id=CVE-2025-10939
28 Oct 2025 — A flaw was found in Keycloak. The Keycloak guides recommend to not expose /admin path to the outside in case the installation is using a proxy. The issue occurs at least via ha-proxy, as it can be tricked to using relative/non-normalized paths to access the /admin application path relative to /realms which is expected to be exposed. New images are available for Red Hat build of Keycloak 26.4.4 and Red Hat build of Keycloak 26.4.4 Operator, running on OpenShift Container Platform. • https://access.redhat.com/security/cve/CVE-2025-10939 • CWE-427: Uncontrolled Search Path Element •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-12110 – Keycloak: org.keycloak:keycloak-services: user can refresh offline session even after client's offline_access scope was removed
https://notcve.org/view.php?id=CVE-2025-12110
23 Oct 2025 — A flaw was found in Keycloak. An offline session continues to be valid when the offline_access scope is removed from the client. The refresh token is accepted and you can continue to request new tokens for the session. As it can lead to a situation where an administrator removes the scope, and assumes that offline sessions are no longer available, but they are. • https://access.redhat.com/security/cve/CVE-2025-12110 • CWE-613: Insufficient Session Expiration •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-11429 – Keycloak-server: too long and not settings compliant session
https://notcve.org/view.php?id=CVE-2025-11429
23 Oct 2025 — A flaw was found in Keycloak. Keycloak does not immediately enforce the disabling of the "Remember Me" realm setting on existing user sessions. Sessions created while "Remember Me" was active retain their extended session lifetime until they expire, overriding the administrator's recent security configuration change. This is a logic flaw in session management increases the potential window for successful session hijacking or unauthorized long-term access persistence. The flaw lies in the session expiration ... • https://access.redhat.com/security/cve/CVE-2025-11429 • CWE-613: Insufficient Session Expiration •
CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-10044 – Keycloak: keycloak error_description injection on error pages
https://notcve.org/view.php?id=CVE-2025-10044
05 Sep 2025 — A flaw was found in Keycloak. Keycloak’s account console and other pages accept arbitrary text in the error_description query parameter. This text is directly rendered in error pages without validation or sanitization. While HTML encoding prevents XSS, an attacker can craft URLs with misleading messages (e.g., fake support phone numbers or URLs), which are displayed within the trusted Keycloak UI. This creates a phishing vector, potentially tricking users into contacting malicious actors. • https://access.redhat.com/errata/RHSA-2025:16399 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2025-9162 – Org.keycloak/keycloak-model-storage-service: variable injection into environment variables
https://notcve.org/view.php?id=CVE-2025-9162
21 Aug 2025 — A flaw was found in org.keycloak/keycloak-model-storage-service. The KeycloakRealmImport custom resource substitutes placeholders within imported realm documents, potentially referencing environment variables. This substitution process allows for injection attacks when crafted realm documents are processed. An attacker can leverage this to inject malicious content during the realm import procedure. This can lead to unintended consequences within the Keycloak environment. • https://access.redhat.com/errata/RHSA-2025:15336 • CWE-526: Cleartext Storage of Sensitive Information in an Environment Variable •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-8419 – Org.keycloak/keycloak-services: keycloak smtp inject vulnerability
https://notcve.org/view.php?id=CVE-2025-8419
06 Aug 2025 — A vulnerability was found in Keycloak-services. Special characters used during e-mail registration may perform SMTP Injection and unexpectedly send short unwanted e-mails. The email is limited to 64 characters (limited local part of the email), so the attack is limited to very shorts emails (subject and little data, the example is 60 chars). This flaw's only direct consequence is an unsolicited email being sent from the Keycloak server. However, this action could be a precursor for more sophisticated attack... • https://access.redhat.com/security/cve/CVE-2025-8419 • CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection') •
CVSS: 7.5EPSS: 0%CPEs: 17EXPL: 0CVE-2023-6291 – Keycloak: redirect_uri validation bypass
https://notcve.org/view.php?id=CVE-2023-6291
26 Jan 2024 — A flaw was found in the redirect_uri validation logic in Keycloak. This issue may allow a bypass of otherwise explicitly allowed hosts. A successful attack may lead to an access token being stolen, making it possible for the attacker to impersonate other users. Se encontró un fallo en la lógica de validación de redirect_uri en Keycloak. Este problema puede permitir la omisión de hosts permitidos explícitamente. • https://access.redhat.com/errata/RHSA-2023:7854 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •