ALT-PU-2026-6040-3

BDU:2026-05926

HIGH8.1

Уязвимость программного средства для управления идентификацией и доступом Keycloak, связанная с некорректным порядком поведения, позволяющая нарушителю получить несанкционированный доступ к конфиденциальной информации

Published: 2026-04-28Modified: 2026-05-15

CVSS 3.xHIGH 8.1

CVSS:3.x/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CVSS 2.0HIGH 8.5

CVSS:2.0/AV:N/AC:L/Au:S/C:C/I:C/A:N

References

CVE-2026-4636

CVE-2025-14083

LOW2.7

A flaw was found in the Keycloak Admin REST API. This vulnerability allows the exposure of backend schema and rules, potentially leading to targeted attacks or privilege escalation via improper access control.

Published: 2026-01-21Modified: 2026-04-15

CVSS 3.xLOW 2.7

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N

References

CVE-2026-1002

MEDIUM6.9

The Vert.x Web static handler component cache can be manipulated to deny the access to static files served by the handler using specifically crafted request URI. The issue comes from an improper implementation of the C. rule of section 5.2.4 of RFC3986 and is fixed in Vert.x Core component (used by Vert.x Web): https://github.com/eclipse-vertx/vert.x/pull/5895 Steps to reproduce Given a file served by the static handler, craft an URI that introduces a string like bar%2F..%2F after the last / char to deny the access to the URI with an HTTP 404 response. For example https://example.com/foo/index.html can be denied with https://example.com/foo/bar%2F..%2Findex.html Mitgation Disabling Static Handler cache fixes the issue. StaticHandler staticHandler = StaticHandler.create().setCachingEnabled(false);

Published: 2026-01-15Modified: 2026-02-05

CVSS 3.xMEDIUM 5.3

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CVSS 4.0MEDIUM 6.9

CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

References

CVE-2026-3429

MEDIUM4.2

A flaw was identified in the Account REST API of Keycloak that allows a user authenticated at a lower security level to perform sensitive actions intended only for higher-assurance sessions. Specifically, an attacker who has already obtained a victim’s password can delete the victim’s registered MFA/OTP credential without first proving possession of that factor. The attacker can then register their own MFA device, effectively taking full control of the account. This weakness undermines the intended protection provided by multi-factor authentication.

Published: 2026-03-11Modified: 2026-04-02

CVSS 3.xMEDIUM 4.2

CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

References

CVE-2026-3872

HIGH7.3

A flaw was found in Keycloak. This issue allows an attacker, who controls another path on the same web server, to bypass the allowed path in redirect Uniform Resource Identifiers (URIs) that use a wildcard. A successful attack may lead to the theft of an access token, resulting in information disclosure.

Published: 2026-04-02Modified: 2026-04-16

CVSS 3.xHIGH 7.3

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

References

CVE-2026-4282

HIGH7.4

A flaw was found in Keycloak. The SingleUseObjectProvider, a global key-value store, lacks proper type and namespace isolation. This vulnerability allows an unauthenticated attacker to forge authorization codes. Successful exploitation can lead to the creation of admin-capable access tokens, resulting in privilege escalation.

Published: 2026-04-02Modified: 2026-04-16

CVSS 3.xHIGH 7.4

CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

References

CVE-2026-4634

HIGH7.5

A flaw was found in Keycloak. An unauthenticated attacker can exploit this vulnerability by sending a specially crafted POST request with an excessively long scope parameter to the OpenID Connect (OIDC) token endpoint. This leads to high resource consumption and prolonged processing times, ultimately resulting in a Denial of Service (DoS) for the Keycloak server.

Published: 2026-04-02Modified: 2026-04-16

CVSS 3.xHIGH 7.5

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

CVE-2026-4636

HIGH8.1

A flaw was found in Keycloak. An authenticated user with the uma_protection role can bypass User-Managed Access (UMA) policy validation. This allows the attacker to include resource identifiers owned by other users in a policy creation request, even if the URL path specifies an attacker-owned resource. Consequently, the attacker gains unauthorized permissions to victim-owned resources, enabling them to obtain a Requesting Party Token (RPT) and access sensitive information or perform unauthorized actions.

Published: 2026-04-02Modified: 2026-04-16

CVSS 3.xHIGH 8.1

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

References

GHSA-594w-2fwp-jwrc

LOW2.7

Keycloak Admin REST API exposes backend schema and rules

Published: 2026-01-21Modified: 2026-04-02

CVSS 3.xLOW 2.7

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N

References

GHSA-8g9r-9wjw-37j4

MEDIUM4.2

Keycloak: Improper Access Control Leading to MFA Deletion and Account Takeover in Keycloak Account REST API

Published: 2026-03-11Modified: 2026-04-02

CVSS 3.xMEDIUM 4.2

CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

References

GHSA-cjm2-j6cm-6p6m

HIGH7.3

Keycloak: Redirect URI validation bypass via ..;/ path traversal in OIDC auth endpoint

Published: 2026-04-02Modified: 2026-04-04

CVSS 3.xHIGH 7.3

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

References

GHSA-cphf-4846-3xx9

MEDIUM6.9

Vert.x Web static handler component cache can be manipulated to deny the access to static files

Published: 2026-01-16Modified: 2026-01-16

CVSS 4.0

CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L

References

GHSA-f2hx-5fx3-hmcv

HIGH8.1

Keycloak: UMA Policy Resource Injection Allows Unauthorized Cross-User Permission Grants

Published: 2026-04-02Modified: 2026-04-04

CVSS 3.xHIGH 8.1

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

References

GHSA-h4wv-g838-66g3

HIGH7.5

Keycloak: Application-Level DoS via Scope Processing

Published: 2026-04-02Modified: 2026-04-04

CVSS 3.xHIGH 7.5

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

GHSA-hj93-h7pg-fh6v

HIGH7.4

Keycloak: Privilege escalation via forged authorization codes due to SingleUseObjectProvider isolation flaw

Published: 2026-04-02Modified: 2026-04-04

CVSS 3.xHIGH 7.4

CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

References

Package update keycloak in branch p10

Closed issues (15)

A flaw was found in the Keycloak Admin REST API. This vulnerability allows the exposure of backend schema and rules, potentially leading to targeted attacks or privilege escalation via improper access control.

Keycloak Admin REST API exposes backend schema and rules

Keycloak: Improper Access Control Leading to MFA Deletion and Account Takeover in Keycloak Account REST API

Keycloak: Redirect URI validation bypass via ..;/ path traversal in OIDC auth endpoint

Vert.x Web static handler component cache can be manipulated to deny the access to static files

Keycloak: UMA Policy Resource Injection Allows Unauthorized Cross-User Permission Grants

Keycloak: Application-Level DoS via Scope Processing

Keycloak: Privilege escalation via forged authorization codes due to SingleUseObjectProvider isolation flaw