CVSS: 5.5EPSS: %CPEs: 2EXPL: 0CVE-2025-12110 – Keycloak: org.keycloak:keycloak-services: user can refresh offline session even after client's offline_access scope was removed
https://notcve.org/view.php?id=CVE-2025-12110
23 Oct 2025 — A flaw was found in Keycloak. An offline session continues to be valid when the offline_access scope is removed from the client. The refresh token is accepted and you can continue to request new tokens for the session. As it can lead to a situation where an administrator removes the scope, and assumes that offline sessions are no longer available, but they are. • https://access.redhat.com/security/cve/CVE-2025-12110 • CWE-613: Insufficient Session Expiration •
CVSS: 5.5EPSS: %CPEs: 2EXPL: 0CVE-2025-11429 – Keycloak-server: too long and not settings compliant session
https://notcve.org/view.php?id=CVE-2025-11429
23 Oct 2025 — A flaw was found in Keycloak. Keycloak does not immediately enforce the disabling of the "Remember Me" realm setting on existing user sessions. Sessions created while "Remember Me" was active retain their extended session lifetime until they expire, overriding the administrator's recent security configuration change. This is a logic flaw in session management increases the potential window for successful session hijacking or unauthorized long-term access persistence. The flaw lies in the session expiration ... • https://access.redhat.com/security/cve/CVE-2025-11429 • CWE-613: Insufficient Session Expiration •
CVSS: 5.0EPSS: 0%CPEs: 2EXPL: 0CVE-2025-10044 – Keycloak: keycloak error_description injection on error pages
https://notcve.org/view.php?id=CVE-2025-10044
05 Sep 2025 — A flaw was found in Keycloak. Keycloak’s account console and other pages accept arbitrary text in the error_description query parameter. This text is directly rendered in error pages without validation or sanitization. While HTML encoding prevents XSS, an attacker can craft URLs with misleading messages (e.g., fake support phone numbers or URLs), which are displayed within the trusted Keycloak UI. This creates a phishing vector, potentially tricking users into contacting malicious actors. • https://access.redhat.com/errata/RHSA-2025:16399 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2025-9162 – Org.keycloak/keycloak-model-storage-service: variable injection into environment variables
https://notcve.org/view.php?id=CVE-2025-9162
21 Aug 2025 — A flaw was found in org.keycloak/keycloak-model-storage-service. The KeycloakRealmImport custom resource substitutes placeholders within imported realm documents, potentially referencing environment variables. This substitution process allows for injection attacks when crafted realm documents are processed. An attacker can leverage this to inject malicious content during the realm import procedure. This can lead to unintended consequences within the Keycloak environment. • https://access.redhat.com/errata/RHSA-2025:15336 • CWE-526: Cleartext Storage of Sensitive Information in an Environment Variable •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2025-8419 – Org.keycloak/keycloak-services: keycloak smtp inject vulnerability
https://notcve.org/view.php?id=CVE-2025-8419
06 Aug 2025 — A vulnerability was found in Keycloak-services. Special characters used during e-mail registration may perform SMTP Injection and unexpectedly send short unwanted e-mails. The email is limited to 64 characters (limited local part of the email), so the attack is limited to very shorts emails (subject and little data, the example is 60 chars). This flaw's only direct consequence is an unsolicited email being sent from the Keycloak server. However, this action could be a precursor for more sophisticated attack... • https://access.redhat.com/security/cve/CVE-2025-8419 • CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection') •
CVSS: 7.7EPSS: 0%CPEs: 5EXPL: 0CVE-2025-7784 – Org.keycloak/keycloak-services: privilege escalation in keycloak admin console (fgapv2 enabled)
https://notcve.org/view.php?id=CVE-2025-7784
18 Jul 2025 — A flaw was found in the Keycloak identity and access management system when Fine-Grained Admin Permissions(FGAPv2) are enabled. An administrative user with the manage-users role can escalate their privileges to realm-admin due to improper privilege enforcement. This vulnerability allows unauthorized elevation of access rights, compromising the intended separation of administrative duties and posing a security risk to the realm. • https://access.redhat.com/security/cve/CVE-2025-7784 • CWE-269: Improper Privilege Management •
CVSS: 5.6EPSS: 0%CPEs: 2EXPL: 0CVE-2025-7365 – Keycloak: phishing attack via email verification step in first login flow
https://notcve.org/view.php?id=CVE-2025-7365
10 Jul 2025 — A flaw was found in Keycloak. When an authenticated attacker attempts to merge accounts with another existing account during an identity provider (IdP) login, the attacker will subsequently be prompted to "review profile" information. This vulnerability allows the attacker to modify their email address to match that of a victim's account, triggering a verification email sent to the victim's email address. The attacker's email address is not present in the verification email content, making it a potential ph... • https://access.redhat.com/security/cve/CVE-2025-7365 • CWE-346: Origin Validation Error •
CVSS: 3.3EPSS: 0%CPEs: 3EXPL: 0CVE-2025-5416 – Keycloak-core: keycloak environment information
https://notcve.org/view.php?id=CVE-2025-5416
20 Jun 2025 — A vulnerability has been identified in Keycloak that could lead to unauthorized information disclosure. While it requires an already authenticated user, the /admin/serverinfo endpoint can inadvertently provide sensitive environment information. • https://access.redhat.com/security/cve/CVE-2025-5416 • CWE-497: Exposure of Sensitive System Information to an Unauthorized Control Sphere •
CVSS: 6.4EPSS: 0%CPEs: 2EXPL: 0CVE-2025-3910 – Org.keycloak.authentication: two factor authentication bypass
https://notcve.org/view.php?id=CVE-2025-3910
29 Apr 2025 — A flaw was found in Keycloak. The org.keycloak.authorization package may be vulnerable to circumventing required actions, allowing users to circumvent requirements such as setting up two-factor authentication. • https://access.redhat.com/errata/RHSA-2025:4335 • CWE-287: Improper Authentication •
CVSS: 8.5EPSS: 0%CPEs: 3EXPL: 0CVE-2025-3501 – Org.keycloak.protocol.services: keycloak hostname verification
https://notcve.org/view.php?id=CVE-2025-3501
29 Apr 2025 — A flaw was found in Keycloak. By setting a verification policy to 'ALL', the trust store certificate verification is skipped, which is unintended. • https://access.redhat.com/errata/RHSA-2025:4335 • CWE-297: Improper Validation of Certificate with Host Mismatch •