📦 Keycloak

Keycloak has a cross-site scripting (XSS) vulnerability in SAML and OIDC providers where attackers can inject malicious scripts via AssertionConsumerServiceURL or redirect_uri parameters. This allows ...

This vulnerability allows a client application with a valid access token to exchange tokens for any target client by specifying the target's client_id, bypassing authorization checks. This could enabl...

This vulnerability in Keycloak allows attackers to execute cross-site scripting (XSS) attacks that can lead to complete account takeover. The flaw exists in user-supplied data fields that aren't prope...

This CVE describes a denial-of-service vulnerability in Keycloak where attackers can send repeated HTTP requests with excessive attributes, causing resource exhaustion by forcing the application to pr...

This CVE describes a session fixation vulnerability in Keycloak's SAML adapters where session IDs aren't regenerated during login, even when configured to do so. Attackers who hijack a session before ...

This vulnerability in Keycloak allows attackers to bypass URL validation in redirects when clients use wildcards in Valid Redirect URIs. Attackers can construct malicious requests to access unauthoriz...

This vulnerability in Keycloak's redirect_uri validation logic allows attackers to bypass host restrictions and steal access tokens. Attackers can then impersonate legitimate users. All Keycloak deplo...

An unconstrained memory consumption vulnerability in Keycloak allows attackers to cause denial of service by triggering excessive resource usage when accessing the admin UI's consents tab in environme...

This reflected cross-site scripting (XSS) vulnerability in Keycloak's 'oob' OAuth endpoint allows attackers to inject malicious scripts via crafted links, potentially compromising user details when vi...

This vulnerability in Keycloak allows session persistence after logout when using external SAML identity providers with specific Principal Type configurations. Attackers could maintain access to user ...

This vulnerability allows any authenticated user in Keycloak to create new default user accounts via the administrative REST API, even when new user registration is disabled. This affects Keycloak ver...

This vulnerability in Keycloak's new account console allows attackers to execute malicious code via manipulated referrer URLs. It affects Keycloak deployments using the new account console interface. ...

CVE-2024-7260 is an open redirect vulnerability in Keycloak that allows attackers to craft malicious URLs that appear to be legitimate Keycloak pages but redirect users to malicious websites. This aff...

CVE-2022-1274 is an HTML injection vulnerability in Keycloak's execute-actions-email endpoint that allows attackers to inject arbitrary HTML into emails sent to users. This affects all Keycloak deploy...