ALT-PU-2026-4227-3

BDU:2026-01704

HIGH8.1

Уязвимость компонента JSON Web Token Handler программного средства для управления идентификацией и доступом Keycloak, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации

Опубликовано: 2026-02-11

CVSS 3.xВЫСОКАЯ 8.1

CVSS:3.x/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CVSS 2.0ВЫСОКАЯ 8.5

CVSS:2.0/AV:N/AC:L/Au:S/C:C/I:C/A:N

Ссылки

CVE-2026-1529

CVE-2025-14778

MEDIUM5.4

A flaw was found in Keycloak. A significant Broken Access Control vulnerability exists in the UserManagedPermissionService (UMA Protection API). When updating or deleting a UMA policy associated with multiple resources, the authorization check only verifies the caller's ownership against the first resource in the policy's list. This allows a user (Owner A) who owns one resource (RA) to update a shared policy and modify authorization rules for other resources (e.g., RB) in that same policy, even if those other resources are owned by a different user (Owner B). This constitutes a horizontal privilege escalation.

Опубликовано: 2026-02-09Изменено: 2026-04-15

CVSS 3.xСРЕДНЯЯ 5.4

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Ссылки

CVE-2025-5416

LOW2.7

A vulnerability has been identified in Keycloak that could lead to unauthorized information disclosure. While it requires an already authenticated user, the /admin/serverinfo endpoint can inadvertently provide sensitive environment information.

Опубликовано: 2025-06-20Изменено: 2025-08-13

CVSS 3.xНИЗКАЯ 2.7

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N

Ссылки

CVE-2026-0707

MEDIUM5.3

A flaw was found in Keycloak. The Keycloak Authorization header parser is overly permissive regarding the formatting of the "Bearer" authentication scheme. It accepts non-standard characters (such as tabs) as separators and tolerates case variations that deviate from RFC 6750 specifications.

Опубликовано: 2026-01-08Изменено: 2026-04-15

CVSS 3.xСРЕДНЯЯ 5.3

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Ссылки

CVE-2026-1190

LOW3.1

A flaw was found in Keycloak's SAML brokering functionality. When Keycloak is configured as a client in a Security Assertion Markup Language (SAML) setup, it fails to validate the `NotOnOrAfter` timestamp within the `SubjectConfirmationData`. This allows an attacker to delay the expiration of SAML responses, potentially extending the time a response is considered valid and leading to unexpected session durations or resource consumption.

Опубликовано: 2026-01-26Изменено: 2026-04-15

CVSS 3.xНИЗКАЯ 3.1

CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N

Ссылки

CVE-2026-1486

HIGH8.8

A flaw was found in Keycloak. A vulnerability exists in the jwt-authorization-grant flow where the server fails to verify if an Identity Provider (IdP) is enabled before issuing tokens. The issuer lookup mechanism (lookupIdentityProviderFromIssuer) retrieves the IdP configuration but does not filter for isEnabled=false. If an administrator disables an IdP (e.g., due to a compromise or offboarding), an entity possessing that IdP's signing key can still generate valid JWT assertions that Keycloak accepts, resulting in the issuance of valid access tokens.

Опубликовано: 2026-02-09Изменено: 2026-04-15

CVSS 3.xВЫСОКАЯ 8.8

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Ссылки

CVE-2026-1529

HIGH8.1

A flaw was found in Keycloak. An attacker can exploit this vulnerability by modifying the organization ID and target email within a legitimate invitation token's JSON Web Token (JWT) payload. This lack of cryptographic signature verification allows the attacker to successfully self-register into an unauthorized organization, leading to unauthorized access.

Опубликовано: 2026-02-09Изменено: 2026-04-15

CVSS 3.xВЫСОКАЯ 8.1

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Ссылки

CVE-2026-1609

NONE

CVE-2026-2092

HIGH7.7

A flaw was found in Keycloak. Keycloak's Security Assertion Markup Language (SAML) broker endpoint does not properly validate encrypted assertions when the overall SAML response is not signed. An attacker with a valid signed SAML assertion can exploit this by crafting a malicious SAML response. This allows the attacker to inject an encrypted assertion for an arbitrary principal, leading to unauthorized access and potential information disclosure.

Опубликовано: 2026-03-18Изменено: 2026-03-18

CVSS 3.xВЫСОКАЯ 7.7

CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:L

Ссылки

CVE-2026-2575

MEDIUM5.3

A flaw was found in Keycloak. An unauthenticated remote attacker can trigger an application level Denial of Service (DoS) by sending a highly compressed SAMLRequest through the SAML Redirect Binding. The server fails to enforce size limits during DEFLATE decompression, leading to an OutOfMemoryError (OOM) and subsequent process termination. This vulnerability allows an attacker to disrupt the availability of the service.

Опубликовано: 2026-03-18Изменено: 2026-03-18

CVSS 3.xСРЕДНЯЯ 5.3

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Ссылки

CVE-2026-2603

HIGH8.1

A flaw was found in Keycloak. A remote attacker could bypass security controls by sending a valid SAML response from an external Identity Provider (IdP) to the Keycloak SAML endpoint for IdP-initiated broker logins. This allows the attacker to complete broker logins even when the SAML Identity Provider is disabled, leading to unauthorized authentication.

Опубликовано: 2026-03-18Изменено: 2026-03-18

CVSS 3.xВЫСОКАЯ 8.1

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Ссылки

CVE-2026-2733

LOW3.8

A flaw was identified in the Docker v2 authentication endpoint of Keycloak, where tokens continue to be issued even after a Docker registry client has been administratively disabled. This means that turning the client “Enabled” setting to OFF does not fully prevent access. As a result, previously valid credentials can still be used to obtain authentication tokens. This weakens administrative controls and could allow unintended access to container registry resources.

Опубликовано: 2026-02-19Изменено: 2026-04-15

CVSS 3.xНИЗКАЯ 3.8

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N

Ссылки

CVE-2026-3009

HIGH8.1

A security flaw in the IdentityBrokerService.performLogin endpoint of Keycloak allows authentication to proceed using an Identity Provider (IdP) even after it has been disabled by an administrator. An attacker who knows the IdP alias can reuse a previously generated login request to bypass the administrative restriction. This undermines access control enforcement and may allow unauthorized authentication through a disabled external provider.

Опубликовано: 2026-03-05Изменено: 2026-03-24

CVSS 3.xВЫСОКАЯ 8.1

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Ссылки

CVE-2026-3047

HIGH8.8

A flaw was found in org.keycloak.broker.saml. When a disabled Security Assertion Markup Language (SAML) client is configured as an Identity Provider (IdP)-initiated broker landing target, it can still complete the login process and establish a Single Sign-On (SSO) session. This allows a remote attacker to gain unauthorized access to other enabled clients without re-authentication, effectively bypassing security restrictions.

Опубликовано: 2026-03-05Изменено: 2026-03-26

CVSS 3.xВЫСОКАЯ 8.8

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Ссылки

GHSA-37gf-gmxv-74wv

HIGH8.8

Keycloak fails to verify if an Identity Provider (IdP) is enabled before issuing tokens

Опубликовано: 2026-02-10Изменено: 2026-02-14

CVSS 3.xВЫСОКАЯ 8.8

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Ссылки

GHSA-63v5-26vq-m4vm

LOW3.1

Keycloak's missing timestamp validation allows attackers to extend SAML response validity periods

Опубликовано: 2026-01-27Изменено: 2026-03-06

CVSS 3.xНИЗКАЯ 3.1

CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N

Ссылки

GHSA-8cr3-vpxx-92cx

HIGH8.8

Keycloak SAML Broken has Authentication Bypass by Primary Weakness

Опубликовано: 2026-03-06Изменено: 2026-03-07

CVSS 3.xВЫСОКАЯ 8.8

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Ссылки

GHSA-fjf4-6f34-w64q

LOW3.8

Keycloak: Missing Check on Disabled Client for Docker Registry Protocol

Опубликовано: 2026-02-19Изменено: 2026-03-06

CVSS 3.xНИЗКАЯ 3.8

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N

Ссылки

GHSA-fm6w-rrp3-2x4w

MEDIUM5.4

Keycloak Affected by Broken Access Control Vulnerability in the UserManagedPermissionService

Опубликовано: 2026-02-10Изменено: 2026-02-14

CVSS 3.xСРЕДНЯЯ 5.4

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Ссылки

GHSA-gv94-wp4h-vv8p

MEDIUM5.3

Keycloak has Incorrect Behavior Order: Authorization Before Parsing and Canonicalization

Опубликовано: 2026-01-08Изменено: 2026-03-06

CVSS 3.xСРЕДНЯЯ 5.3

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Ссылки

GHSA-hcvw-475w-8g7p

HIGH8.1

Keycloak affected by improper invitation token validation

Опубликовано: 2026-02-10Изменено: 2026-02-13

CVSS 3.xВЫСОКАЯ 8.1

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Ссылки

GHSA-m297-3jv9-m927

HIGH8.1

Keycloak allows authentication using an Identity Provider (IdP) even after it has been disabled by an administrator

Опубликовано: 2026-03-06Изменено: 2026-03-07

CVSS 3.xВЫСОКАЯ 8.1

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Ссылки

GHSA-wmxr-6j5f-838p

HIGH7.7

Keycloak: Unauthorized access via improper validation of encrypted SAML assertions

Опубликовано: 2026-03-18Изменено: 2026-04-08

CVSS 3.xВЫСОКАЯ 7.7

CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:L

Ссылки

GHSA-x4p7-7chp-64hq

HIGH8.1

Keycloak: Unauthorized authentication via disabled SAML Identity Provider

Опубликовано: 2026-03-18Изменено: 2026-04-16

CVSS 3.xВЫСОКАЯ 8.1

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Ссылки

GHSA-xv6h-r36f-3gp5

MEDIUM5.3

Keycloak: Denial of Service due to excessive SAMLRequest decompression

Опубликовано: 2026-03-18Изменено: 2026-03-18

CVSS 3.xСРЕДНЯЯ 5.3

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Ссылки

Обновление пакета keycloak в ветке p11

Закрытые проблемы (25)

A vulnerability has been identified in Keycloak that could lead to unauthorized information disclosure. While it requires an already authenticated user, the /admin/serverinfo endpoint can inadvertently provide sensitive environment information.

A flaw was found in Keycloak. The Keycloak Authorization header parser is overly permissive regarding the formatting of the "Bearer" authentication scheme. It accepts non-standard characters (such as tabs) as separators and tolerates case variations that deviate from RFC 6750 specifications.

Keycloak fails to verify if an Identity Provider (IdP) is enabled before issuing tokens

Keycloak's missing timestamp validation allows attackers to extend SAML response validity periods

Keycloak SAML Broken has Authentication Bypass by Primary Weakness

Keycloak: Missing Check on Disabled Client for Docker Registry Protocol

Keycloak Affected by Broken Access Control Vulnerability in the UserManagedPermissionService

Keycloak has Incorrect Behavior Order: Authorization Before Parsing and Canonicalization

Keycloak affected by improper invitation token validation

Keycloak allows authentication using an Identity Provider (IdP) even after it has been disabled by an administrator

Keycloak: Unauthorized access via improper validation of encrypted SAML assertions

Keycloak: Unauthorized authentication via disabled SAML Identity Provider

Keycloak: Denial of Service due to excessive SAMLRequest decompression

Закрытые ошибки (1)

Необходимо запускать сервис от непривелегированного пользователя