Filtered by vendor Keycloak
Subscriptions
Filtered by product Keycloak
Subscriptions
Total
10 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-3429 | 1 Keycloak | 1 Keycloak | 2026-03-03 | 4.2 Medium |
| A flaw was identified in the Account REST API of Keycloak that allows a user authenticated at a lower security level to perform sensitive actions intended only for higher-assurance sessions. Specifically, an attacker who has already obtained a victim’s password can delete the victim’s registered MFA/OTP credential without first proving possession of that factor. The attacker can then register their own MFA device, effectively taking full control of the account. This weakness undermines the intended protection provided by multi-factor authentication. | ||||
| CVE-2026-3190 | 1 Keycloak | 1 Keycloak | 2026-02-26 | 4.3 Medium |
| No description is available for this CVE. | ||||
| CVE-2026-3121 | 1 Keycloak | 1 Keycloak | 2026-02-25 | 6.5 Medium |
| No description is available for this CVE. | ||||
| CVE-2026-2575 | 1 Keycloak | 1 Keycloak | 2026-02-17 | 5.3 Medium |
| No description is available for this CVE. | ||||
| CVE-2026-2366 | 1 Keycloak | 1 Keycloak | 2026-02-16 | 3.1 Low |
| No description is available for this CVE. | ||||
| CVE-2014-3709 | 1 Keycloak | 1 Keycloak | 2025-04-20 | N/A |
| The org.keycloak.services.resources.SocialResource.callback method in JBoss KeyCloak before 1.0.3.Final allows remote attackers to conduct cross-site request forgery (CSRF) attacks by leveraging lack of CSRF protection. | ||||
| CVE-2017-12159 | 2 Keycloak, Redhat | 5 Keycloak, Enterprise Linux Server, Jboss Single Sign On and 2 more | 2025-04-20 | N/A |
| It was found that the cookie used for CSRF prevention in Keycloak was not unique to each session. An attacker could use this flaw to gain access to an authenticated user session, leading to possible information disclosure or further attacks. | ||||
| CVE-2017-12158 | 2 Keycloak, Redhat | 5 Keycloak, Enterprise Linux Server, Jboss Single Sign On and 2 more | 2025-04-20 | N/A |
| It was found that Keycloak would accept a HOST header URL in the admin console and use it to determine web resource locations. An attacker could use this flaw against an authenticated user to attain reflected XSS via a malicious server. | ||||
| CVE-2014-3651 | 1 Keycloak | 1 Keycloak | 2025-04-20 | N/A |
| JBoss KeyCloak before 1.0.3.Final allows remote attackers to cause a denial of service (resource consumption) via a large value in the size parameter to auth/qrcode, related to QR code generation. | ||||
| CVE-2017-12161 | 1 Keycloak | 1 Keycloak | 2024-11-21 | N/A |
| It was found that keycloak before 3.4.2 final would permit misuse of a client-side /etc/hosts entry to spoof a URL in a password reset request. An attacker could use this flaw to craft a malicious password reset request and gain a valid reset token, leading to information disclosure or further attacks. | ||||
Page 1 of 1.