Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Keycloak — Vulnerabilities & Security Advisories 14

Browse all 14 CVE security advisories affecting Keycloak. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Keycloak serves as an open-source identity and access management solution, providing authentication and authorization services for applications and services. Historically, it has been susceptible to various vulnerability classes including remote code execution, cross-site scripting, and privilege escalation vulnerabilities, with 14 CVEs currently documented. The platform's security characteristics include its OAuth 2.0 and OpenID Connect compliance, though past incidents have highlighted risks in default configurations and third-party integrations. While no major public security incidents have been widely reported, the CVE count indicates ongoing security challenges that require careful configuration and timely patching to mitigate potential risks.

Top products by Keycloak: keycloak keycloak REST API
CVE IDTitleCVSSSeverityPublished
CVE-2025-12150 Org.keycloak/keycloak-services: webauthn attestation statement verification bypass — keycloakCWE-347 3.1 Low2026-02-27
CVE-2025-13467 Org.keycloak.storage.ldap: keycloak: deserialization of untrusted data in ldap user federation — KeycloakCWE-502 5.5 Medium2025-11-25
CVE-2025-11538 Keycloak-server: debug default bind address — keycloakCWE-1327 6.8 Medium2025-11-13
CVE-2025-12390 Org.keycloak.protocol.oidc.endpoints.logoutendpoint: offline session takeover due to reused authentication session id — keycloakCWE-384 6.0 Medium2025-10-28
CVE-2025-10939 Org.keycloak/keycloak-quarkus-server: unable to restrict access to the admin console — keycloakCWE-427 3.7 Low2025-10-28
CVE-2025-12110 Keycloak: org.keycloak:keycloak-services: user can refresh offline session even after client's offline_access scope was removed — keycloakCWE-613 5.4 Medium2025-10-23
CVE-2025-11429 Keycloak-server: too long and not settings compliant session — keycloakCWE-613 5.4 Medium2025-10-23
CVE-2025-10044 Keycloak: keycloak error_description injection on error pages — keycloakCWE-79 4.3 Medium2025-09-05
CVE-2025-9162 Org.keycloak/keycloak-model-storage-service: variable injection into environment variables — keycloakCWE-526 4.9 Medium2025-08-21
CVE-2025-8419 Org.keycloak/keycloak-services: keycloak smtp inject vulnerability — keycloakCWE-93 5.3 Medium2025-08-06
CVE-2022-4361 Red Hat Keycloak 跨站脚本漏洞 — keycloakCWE-81 10.0 Critical2023-07-07
CVE-2020-10686 Red Hat Keycloak 安全漏洞 — keycloakCWE-285 4.1 Medium2020-05-04
CVE-2019-14820 Red Hat Keycloak 信息泄露漏洞 — keycloakCWE-200 7.5 -2020-01-08
CVE-2019-14832 Red Hat Keycloak 安全漏洞 — keycloak REST APICWE-863 7.1 -2019-10-15

This page lists every published CVE security advisory associated with Keycloak. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.