Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Red Hat build of Keycloak 26.4 — Vulnerabilities & Security Advisories 19

All 19 CVE vulnerabilities found in Red Hat build of Keycloak 26.4, with AI-generated Chinese analysis, references, and POCs.

Vendor: Red Hat

CVE IDTitleCVSSSeverityPublished
CVE-2026-3121 Keycloak: org.keycloak/keycloak-services: keycloak: privilege escalation via manage-clients permission CWE-266 6.5 Medium2026-03-26
CVE-2026-3190 Keycloak: keycloak: information disclosure via improper role enforcement in uma 2.0 protection api CWE-280 4.3 Medium2026-03-26
CVE-2026-2575 Keycloak: keycloak: denial of service due to excessive samlrequest decompression CWE-409 5.3 Medium2026-03-18
CVE-2026-2366 Keycloak: keycloak: information disclosure via authorization bypass in admin api CWE-639 3.1 Low2026-03-12
CVE-2026-3429 Org.keycloak.services.resources.account: improper access control leading to mfa deletion and account takeover in keycloak account rest api CWE-284 4.2 Medium2026-03-11
CVE-2026-3911 Org.keycloak.services.resources.admin.userresource: keycloak: information disclosure of disabled user attributes via administrative endpoint CWE-359 2.7 Low2026-03-11
CVE-2026-3009 Org.keycloak/keycloak-services: improper enforcement of disabled identity provider in identitybrokerservice (authentication bypass) CWE-863 8.1 High2026-03-05
CVE-2026-0871 Org.keycloak/keycloak-services: keycloak: unauthorized modification of unmanaged user attributes by administrators CWE-266 4.9 Medium2026-02-27
CVE-2026-2733 Org.keycloak/keycloak-services: keycloak: missing check on disabled client for docker registry protocol CWE-285 3.8 Low2026-02-19
CVE-2026-1486 Org.keycloak.protocol.oidc.grants: disabled identity providers are still accepted for jwt authorization grant CWE-358 8.8 High2026-02-09
CVE-2025-13881 Org.keycloak.services.resources.admin: keycloak: limited administrator can retrieve sensitive user attributes via admin api CWE-266 2.7 Low2026-02-02
CVE-2026-1190 Org.keycloak/keycloak-services: keycloak saml brokering: response delay due to unchecked notonorafter in subjectconfirmationdata CWE-112 3.1 Low2026-01-26
CVE-2025-14083 Keycloak-server: keycloak: improper access control in admin rest api leads to information disclosure CWE-284 2.7 Low2026-01-21
CVE-2025-14559 Org.keycloak/keycloak-services: keycloak keycloak-services: business logic flaw allows unauthorized token issuance for disabled users CWE-840 6.5 Medium2026-01-21
CVE-2026-1035 Org.keycloak.protocol.oidc: keycloak refresh token reuse bypass via toctou race condition CWE-367 3.1 Low2026-01-21
CVE-2026-1180 Org.keycloak.protocol.oidc: blind server-side request forgery (ssrf) in keycloak oidc dynamic client registration via jwks_uri CWE-918 5.8 Medium2026-01-20
CVE-2026-0707 Keycloak: keycloak authorization header parsing leading to potential security control bypass CWE-551 5.3 Medium2026-01-08
CVE-2025-14777 Keycloak: keycloak idor in realm client creating/deleting CWE-289 6.0 Medium2025-12-16
CVE-2025-14082 Keycloak-services: keycloak admin rest api: improper access control leads to sensitive role metadata information disclosure CWE-284 2.7 Low2025-12-10

All 19 known CVE vulnerabilities affecting Red Hat build of Keycloak 26.4 with full Chinese analysis, references, and POCs where available.