| CVE-2026-40948 | Apache Airflow Providers Keycloak: OAuth Login CSRF — Missing State Parameter in Keycloak Auth Manager | Apache Software Foundation | Apache Airflow Providers Keycloak | - | - | 2026-04-18 13:22:42 | Deep Dive |
| CVE-2026-37980 | Org.keycloak.forms.login: keycloak: keycloak: arbitrary code execution via stored cross-site scripting (xss) in organization selection login page | Red Hat | Red Hat Build of Keycloak | Medium | 6.9 | 2026-04-14 14:54:43 | Deep Dive |
| CVE-2026-37977 | Keycloak: org.keycloak.protocol.oidc.grants.ciba: keycloak: information disclosure via cors header injection due to unvalidated jwt azp claim | Red Hat | Red Hat Build of Keycloak | Low | 3.7 | 2026-04-06 08:38:37 | Deep Dive |
| CVE-2026-4636 | Keycloak: keycloak: uma policy bypass allows authenticated users to gain unauthorized access to victim-owned resources. | Red Hat | Red Hat build of Keycloak 26.2 | High | 8.1 | 2026-04-02 12:45:02 | Deep Dive |
| CVE-2026-4634 | Keycloak: keycloak: denial of service via excessive processing of openid connect scope parameters | Red Hat | Red Hat build of Keycloak 26.2 | High | 7.5 | 2026-04-02 12:44:53 | Deep Dive |
| CVE-2026-4325 | Keycloak: keycloak: replay of action tokens via improper handling of single-use entries | Red Hat | Red Hat build of Keycloak 26.2 | Medium | 5.3 | 2026-04-02 12:44:53 | Deep Dive |
| CVE-2026-4282 | Keycloak: keycloak: privilege escalation via forged authorization codes due to singleuseobjectprovider isolation flaw | Red Hat | Red Hat build of Keycloak 26.2 | High | 7.4 | 2026-04-02 12:44:53 | Deep Dive |
| CVE-2026-3872 | Keycloak: keycloak: information disclosure due to redirect_uri validation bypass | Red Hat | Red Hat build of Keycloak 26.2 | High | 7.3 | 2026-04-02 12:37:31 | Deep Dive |
| CVE-2026-3121 | Keycloak: org.keycloak/keycloak-services: keycloak: privilege escalation via manage-clients permission | Red Hat | Red Hat build of Keycloak 26.4 | Medium | 6.5 | 2026-03-26 19:13:26 | Deep Dive |
| CVE-2026-3190 | Keycloak: keycloak: information disclosure via improper role enforcement in uma 2.0 protection api | Red Hat | Red Hat build of Keycloak 26.4 | Medium | 4.3 | 2026-03-26 19:12:38 | Deep Dive |
| CVE-2026-4874 | Org.keycloak.protocol.oidc.grants: org.keycloak.services.managers: keycloak: server-side request forgery via oidc token endpoint manipulation | Red Hat | Red Hat Build of Keycloak | Low | 3.1 | 2026-03-26 07:12:38 | Deep Dive |
| CVE-2026-4633 | Keycloak: keycloak: user enumeration via differential error messages | Red Hat | Red Hat Build of Keycloak | Low | 3.7 | 2026-03-23 10:53:36 | Deep Dive |
| CVE-2026-4628 | Keycloak: org.keycloak.authorization: keycloak: unauthorized resource modification due to improper access control | Red Hat | Red Hat Build of Keycloak | Medium | 4.3 | 2026-03-23 08:09:22 | Deep Dive |
| CVE-2026-4366 | Keycloak-services: blind server-side request forgery (ssrf) via http redirect handling in keycloak | Red Hat | Red Hat Build of Keycloak | Medium | 5.8 | 2026-03-18 04:03:00 | Deep Dive |
| CVE-2026-2575 | Keycloak: keycloak: denial of service due to excessive samlrequest decompression | Red Hat | Red Hat build of Keycloak 26.4 | Medium | 5.3 | 2026-03-18 03:19:10 | Deep Dive |
| CVE-2026-2603 | Keycloak: keycloak: unauthorized authentication via disabled saml identity provider | Red Hat | Red Hat build of Keycloak 26.2 | High | 8.1 | 2026-03-18 01:14:54 | Deep Dive |
| CVE-2026-2092 | Keycloak-services: keycloak: unauthorized access via improper validation of encrypted saml assertions | Red Hat | Red Hat build of Keycloak 26.2 | High | 7.7 | 2026-03-18 01:14:48 | Deep Dive |
| CVE-2026-2366 | Keycloak: keycloak: information disclosure via authorization bypass in admin api | Red Hat | Red Hat build of Keycloak 26.4 | Low | 3.1 | 2026-03-12 10:54:32 | Deep Dive |
| CVE-2026-3429 | Org.keycloak.services.resources.account: improper access control leading to mfa deletion and account takeover in keycloak account rest api | Red Hat | Red Hat build of Keycloak 26.4 | Medium | 4.2 | 2026-03-11 16:17:24 | Deep Dive |
| CVE-2026-3911 | Org.keycloak.services.resources.admin.userresource: keycloak: information disclosure of disabled user attributes via administrative endpoint | Red Hat | Red Hat build of Keycloak 26.4 | Low | 2.7 | 2026-03-11 05:36:44 | Deep Dive |