CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 0CVE-2025-2559 – Org.keycloak/keycloak-services: jwt token cache exhaustion leading to denial of service (dos) in keycloak
https://notcve.org/view.php?id=CVE-2025-2559
25 Mar 2025 — A flaw was found in Keycloak. When the configuration uses JWT tokens for authentication, the tokens are cached until expiration. If a client uses JWT tokens with an excessively long expiration time, for example, 24 or 48 hours, the cache can grow indefinitely, leading to an OutOfMemoryError. This issue could result in a denial of service condition, preventing legitimate users from accessing the system. • https://access.redhat.com/security/cve/CVE-2025-2559 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 8.1EPSS: 0%CPEs: 12EXPL: 0CVE-2025-23368 – Org.wildfly.core:wildfly-elytron-integration: wildfly elytron brute force attack via cli
https://notcve.org/view.php?id=CVE-2025-23368
04 Mar 2025 — A flaw was found in Wildfly Elytron integration. The component does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame, making it more susceptible to brute force attacks via CLI. • https://access.redhat.com/security/cve/CVE-2025-23368 • CWE-307: Improper Restriction of Excessive Authentication Attempts •
CVSS: 4.7EPSS: 0%CPEs: 3EXPL: 0CVE-2024-4028 – Keycloak-core: stored xss in keycloak when creating a items in admin console
https://notcve.org/view.php?id=CVE-2024-4028
18 Feb 2025 — A vulnerability was found in Keycloak. This issue may allow a privileged attacker to use a malicious payload as the permission while creating items (Resource and Permissions) from the admin console, leading to a stored cross-site scripting (XSS) attack. • https://access.redhat.com/security/cve/CVE-2024-4028 • CWE-20: Improper Input Validation •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2025-1391 – Keycloak-services: improper authorization in keycloak organization mapper allows unauthorized organization claims
https://notcve.org/view.php?id=CVE-2025-1391
17 Feb 2025 — A flaw was found in the Keycloak organization feature, which allows the incorrect assignment of an organization to a user if their username or email matches the organization’s domain pattern. This issue occurs at the mapper level, leading to misrepresentation in tokens. If an application relies on these claims for authorization, it may incorrectly assume a user belongs to an organization they are not a member of, potentially granting unauthorized access or privileges. • https://access.redhat.com/security/cve/CVE-2025-1391 • CWE-284: Improper Access Control •
CVSS: 5.5EPSS: 0%CPEs: 46EXPL: 0CVE-2024-11831 – Npm-serialize-javascript: cross-site scripting (xss) in serialize-javascript
https://notcve.org/view.php?id=CVE-2024-11831
10 Feb 2025 — A flaw was found in npm-serialize-javascript. The vulnerability occurs because the serialize-javascript module does not properly sanitize certain inputs, such as regex or other JavaScript object types, allowing an attacker to inject malicious code. This code could be executed when deserialized by a web browser, causing Cross-site scripting (XSS) attacks. This issue is critical in environments where serialized data is sent to web clients, potentially compromising the security of the website or web applicatio... • https://access.redhat.com/security/cve/CVE-2024-11831 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.8EPSS: 0%CPEs: 10EXPL: 0CVE-2025-23367 – Org.wildfly.core:wildfly-server: wildfly improper rbac permission
https://notcve.org/view.php?id=CVE-2025-23367
30 Jan 2025 — A flaw was found in the Wildfly Server Role Based Access Control (RBAC) provider. When authorization to control management operations is secured using the Role Based Access Control provider, a user without the required privileges can suspend or resume the server. A user with a Monitor or Auditor role is supposed to have only read access permissions and should not be able to suspend the server. The vulnerability is caused by the Suspend and Resume handlers not performing authorization checks to validate whet... • https://access.redhat.com/security/cve/CVE-2025-23367 • CWE-284: Improper Access Control •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2025-0604 – Keycloak-ldap-federation: authentication bypass due to missing ldap bind after password reset in keycloak
https://notcve.org/view.php?id=CVE-2025-0604
22 Jan 2025 — A flaw was found in Keycloak. When an Active Directory user resets their password, the system updates it without performing an LDAP bind to validate the new credentials against AD. This vulnerability allows users whose AD accounts are expired or disabled to regain access in Keycloak, bypassing AD restrictions. The issue enables authentication bypass and could allow unauthorized access under certain conditions. New images are available for Red Hat build of Keycloak 26.0.10 and Red Hat build of Keycloak 26.0.... • https://access.redhat.com/security/cve/CVE-2025-0604 • CWE-287: Improper Authentication •
CVSS: 6.1EPSS: 0%CPEs: 4EXPL: 0CVE-2024-11736 – Org.keycloak:keycloak-quarkus-server: unrestricted admin use of system and environment variables
https://notcve.org/view.php?id=CVE-2024-11736
14 Jan 2025 — A vulnerability was found in Keycloak. Admin users may have to access sensitive server environment variables and system properties through user-configurable URLs. When configuring backchannel logout URLs or admin URLs, admin users can include placeholders like ${env.VARNAME} or ${PROPNAME}. The server replaces these placeholders with the actual values of environment variables or system properties during URL processing. Se encontró una vulnerabilidad en Keycloak. • https://access.redhat.com/errata/RHSA-2025:0299 • CWE-526: Cleartext Storage of Sensitive Information in an Environment Variable •
CVSS: 6.8EPSS: 0%CPEs: 4EXPL: 0CVE-2024-11734 – Org.keycloak:keycloak-quarkus-server: denial of service in keycloak server via security headers
https://notcve.org/view.php?id=CVE-2024-11734
14 Jan 2025 — A denial of service vulnerability was found in Keycloak that could allow an administrative user with the right to change realm settings to disrupt the service. This action is done by modifying any of the security headers and inserting newlines, which causes the Keycloak server to write to a request that has already been terminated, leading to the failure of said request. Se encontró una vulnerabilidad de denegación de servicio en Keycloak que podría permitir que un usuario administrativo con derecho a cambi... • https://access.redhat.com/errata/RHSA-2025:0299 • CWE-693: Protection Mechanism Failure •
CVSS: 5.7EPSS: 0%CPEs: 4EXPL: 0CVE-2024-10973 – Keycloak: cli option for encrypted jgroups ignored
https://notcve.org/view.php?id=CVE-2024-10973
17 Dec 2024 — A vulnerability was found in Keycloak. The environment option `KC_CACHE_EMBEDDED_MTLS_ENABLED` does not work and the JGroups replication configuration is always used in plain text which can allow an attacker that has access to adjacent networks related to JGroups to read sensitive information. • https://access.redhat.com/security/cve/CVE-2024-10973 • CWE-319: Cleartext Transmission of Sensitive Information •