ALT-PU-2026-4780-3

CVE-2025-14082

LOW2.7

A flaw was found in Keycloak Admin REST (Representational State Transfer) API. This vulnerability allows information disclosure of sensitive role metadata via insufficient authorization checks on the /admin/realms/{realm}/roles endpoint.

Опубликовано: 2025-12-10Изменено: 2026-04-15

CVSS 3.xНИЗКАЯ 2.7

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N

Ссылки

CVE-2025-14777

MEDIUM6.0

A flaw was found in Keycloak. An IDOR (Broken Access Control) vulnerability exists in the admin API endpoints for authorization resource management, specifically in ResourceSetService and PermissionTicketService. The system checks authorization against the resourceServer (client) ID provided in the API request, but the backend database lookup and modification operations (findById, delete) only use the resourceId. This mismatch allows an authenticated attacker with fine-grained admin permissions for one client (e.g., Client A) to delete or update resources belonging to another client (Client B) within the same realm by supplying a valid resource ID.

Опубликовано: 2025-12-16Изменено: 2026-04-15

CVSS 3.xСРЕДНЯЯ 6.0

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:L

Ссылки

CVE-2026-1035

LOW3.1

A flaw was found in the Keycloak server during refresh token processing, specifically in the TokenManager class responsible for enforcing refresh token reuse policies. When strict refresh token rotation is enabled, the validation and update of refresh token usage are not performed atomically. This allows concurrent refresh requests to bypass single-use enforcement and issue multiple access tokens from the same refresh token. As a result, Keycloak’s refresh token rotation hardening can be undermined.

Опубликовано: 2026-01-21Изменено: 2026-04-15

CVSS 3.xНИЗКАЯ 3.1

CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N

Ссылки

CVE-2026-1180

MEDIUM5.8

A flaw was identified in Keycloak’s OpenID Connect Dynamic Client Registration feature when clients authenticate using private_key_jwt. The issue allows a client to specify an arbitrary jwks_uri, which Keycloak then retrieves without validating the destination. This enables attackers to coerce the Keycloak server into making HTTP requests to internal or restricted network resources. As a result, attackers can probe internal services and cloud metadata endpoints, creating an information disclosure and reconnaissance risk.

Опубликовано: 2026-01-20Изменено: 2026-04-15

CVSS 3.xСРЕДНЯЯ 5.8

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N

Ссылки

CVE-2026-2366

LOW3.1

A flaw was found in Keycloak. An authorization bypass vulnerability in the Keycloak Admin API allows any authenticated user, even those without administrative privileges, to enumerate the organization memberships of other users. This information disclosure occurs if the attacker knows the victim's unique identifier (UUID) and the Organizations feature is enabled.

Опубликовано: 2026-03-12Изменено: 2026-04-02

CVSS 3.xНИЗКАЯ 3.1

CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

Ссылки

CVE-2026-3121

HIGH7.2

A flaw was found in Keycloak. An administrator with `manage-clients` permission can exploit a misconfiguration where this permission is equivalent to `manage-permissions`. This allows the administrator to escalate privileges and gain control over roles, users, or other administrative functions within the realm. This privilege escalation can occur when admin permissions are enabled at the realm level.

Опубликовано: 2026-03-26Изменено: 2026-04-02

CVSS 3.xВЫСОКАЯ 7.2

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Ссылки

CVE-2026-3190

MEDIUM4.3

A flaw was found in Keycloak. The User-Managed Access (UMA) 2.0 Protection API endpoint for permission tickets fails to enforce the `uma_protection` role check. This allows any authenticated user with a token issued for a resource server client, even without the `uma_protection` role, to enumerate all permission tickets in the system. This vulnerability partial leads to information disclosure.

Опубликовано: 2026-03-26Изменено: 2026-04-02

CVSS 3.xСРЕДНЯЯ 4.3

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Ссылки

CVE-2026-3911

LOW2.7

A flaw was found in Keycloak. An authenticated user with the view-users role could exploit a vulnerability in the UserResource component. By accessing a specific administrative endpoint, this user could improperly retrieve user attributes that were configured to be hidden. This unauthorized information disclosure could expose sensitive user data.

Опубликовано: 2026-03-11Изменено: 2026-04-02

CVSS 3.xНИЗКАЯ 2.7

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N

Ссылки

GHSA-6q37-7866-h27j

LOW2.7

Keycloak Admin REST (Representational State Transfer) API does not properly enforce permissions

Опубликовано: 2025-12-10Изменено: 2026-04-02

CVSS 3.xНИЗКАЯ 2.7

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N

Ссылки

GHSA-7vw6-5q2f-7w5r

MEDIUM5.8

Keycloak’s OpenID Connect Dynamic Client Registration feature affected by Server-Side Request Forgery (SSRF)

Опубликовано: 2026-01-20Изменено: 2026-04-02

CVSS 3.xСРЕДНЯЯ 5.8

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N

Ссылки

GHSA-7xf9-4jfc-wgm4

MEDIUM6.5

Keycloak: manage-clients permission escalates to full realm admin access

Опубликовано: 2026-03-27Изменено: 2026-04-06

CVSS 3.xСРЕДНЯЯ 6.5

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

Ссылки

GHSA-m2w5-7xhv-w6fh

LOW3.1

Keycloak does not validate and update refresh token usage atomically

Опубликовано: 2026-01-21Изменено: 2026-04-02

CVSS 3.xНИЗКАЯ 3.1

CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N

Ссылки

GHSA-q35r-vvhv-vx5h

MEDIUM4.3

Keycloak: Missing Role Enforcement on UMA 2.0 Permission Ticket Endpoint Leads to Information Disclosure

Опубликовано: 2026-03-27Изменено: 2026-04-02

CVSS 3.xСРЕДНЯЯ 4.3

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Ссылки

GHSA-r8jr-wg88-fq5c

LOW3.1

Keycloak vulnerable to authorization bypass via the Admin API

Опубликовано: 2026-03-12Изменено: 2026-04-02

CVSS 3.xНИЗКАЯ 3.1

CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

Ссылки

GHSA-xh32-c9wx-phrp

LOW2.7

Keycloak: Information disclosure of disabled user attributes via administrative endpoint

Опубликовано: 2026-03-11Изменено: 2026-04-02

CVSS 3.xНИЗКАЯ 2.7

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N

Ссылки

Обновление пакета keycloak в ветке sisyphus

Закрытые проблемы (15)

A flaw was found in Keycloak Admin REST (Representational State Transfer) API. This vulnerability allows information disclosure of sensitive role metadata via insufficient authorization checks on the /admin/realms/{realm}/roles endpoint.

Keycloak Admin REST (Representational State Transfer) API does not properly enforce permissions

Keycloak’s OpenID Connect Dynamic Client Registration feature affected by Server-Side Request Forgery (SSRF)

Keycloak: manage-clients permission escalates to full realm admin access

Keycloak does not validate and update refresh token usage atomically

Keycloak: Missing Role Enforcement on UMA 2.0 Permission Ticket Endpoint Leads to Information Disclosure

Keycloak vulnerable to authorization bypass via the Admin API

Keycloak: Information disclosure of disabled user attributes via administrative endpoint