ALT-PU-2026-4903-3

BDU:2026-01704

HIGH8.1

Уязвимость компонента JSON Web Token Handler программного средства для управления идентификацией и доступом Keycloak, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации

Опубликовано: 2026-02-11

CVSS 3.xВЫСОКАЯ 8.1

CVSS:3.x/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CVSS 2.0ВЫСОКАЯ 8.5

CVSS:2.0/AV:N/AC:L/Au:S/C:C/I:C/A:N

Ссылки

CVE-2026-1529

CVE-2025-14082

LOW2.7

A flaw was found in Keycloak Admin REST (Representational State Transfer) API. This vulnerability allows information disclosure of sensitive role metadata via insufficient authorization checks on the /admin/realms/{realm}/roles endpoint.

Опубликовано: 2025-12-10Изменено: 2026-04-15

CVSS 3.xНИЗКАЯ 2.7

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N

Ссылки

CVE-2025-14777

MEDIUM6.0

A flaw was found in Keycloak. An IDOR (Broken Access Control) vulnerability exists in the admin API endpoints for authorization resource management, specifically in ResourceSetService and PermissionTicketService. The system checks authorization against the resourceServer (client) ID provided in the API request, but the backend database lookup and modification operations (findById, delete) only use the resourceId. This mismatch allows an authenticated attacker with fine-grained admin permissions for one client (e.g., Client A) to delete or update resources belonging to another client (Client B) within the same realm by supplying a valid resource ID.

Опубликовано: 2025-12-16Изменено: 2026-04-15

CVSS 3.xСРЕДНЯЯ 6.0

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:L

Ссылки

CVE-2025-14778

MEDIUM5.4

A flaw was found in Keycloak. A significant Broken Access Control vulnerability exists in the UserManagedPermissionService (UMA Protection API). When updating or deleting a UMA policy associated with multiple resources, the authorization check only verifies the caller's ownership against the first resource in the policy's list. This allows a user (Owner A) who owns one resource (RA) to update a shared policy and modify authorization rules for other resources (e.g., RB) in that same policy, even if those other resources are owned by a different user (Owner B). This constitutes a horizontal privilege escalation.

Опубликовано: 2026-02-09Изменено: 2026-04-15

CVSS 3.xСРЕДНЯЯ 5.4

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Ссылки

CVE-2025-5416

LOW2.7

A vulnerability has been identified in Keycloak that could lead to unauthorized information disclosure. While it requires an already authenticated user, the /admin/serverinfo endpoint can inadvertently provide sensitive environment information.

Опубликовано: 2025-06-20Изменено: 2025-08-13

CVSS 3.xНИЗКАЯ 2.7

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N

Ссылки

CVE-2026-0707

MEDIUM5.3

A flaw was found in Keycloak. The Keycloak Authorization header parser is overly permissive regarding the formatting of the "Bearer" authentication scheme. It accepts non-standard characters (such as tabs) as separators and tolerates case variations that deviate from RFC 6750 specifications.

Опубликовано: 2026-01-08Изменено: 2026-04-15

CVSS 3.xСРЕДНЯЯ 5.3

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Ссылки

CVE-2026-1035

LOW3.1

A flaw was found in the Keycloak server during refresh token processing, specifically in the TokenManager class responsible for enforcing refresh token reuse policies. When strict refresh token rotation is enabled, the validation and update of refresh token usage are not performed atomically. This allows concurrent refresh requests to bypass single-use enforcement and issue multiple access tokens from the same refresh token. As a result, Keycloak’s refresh token rotation hardening can be undermined.

Опубликовано: 2026-01-21Изменено: 2026-04-15

CVSS 3.xНИЗКАЯ 3.1

CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N

Ссылки

CVE-2026-1180

MEDIUM5.8

A flaw was identified in Keycloak’s OpenID Connect Dynamic Client Registration feature when clients authenticate using private_key_jwt. The issue allows a client to specify an arbitrary jwks_uri, which Keycloak then retrieves without validating the destination. This enables attackers to coerce the Keycloak server into making HTTP requests to internal or restricted network resources. As a result, attackers can probe internal services and cloud metadata endpoints, creating an information disclosure and reconnaissance risk.

Опубликовано: 2026-01-20Изменено: 2026-04-15

CVSS 3.xСРЕДНЯЯ 5.8

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N

Ссылки

CVE-2026-1190

LOW3.1

A flaw was found in Keycloak's SAML brokering functionality. When Keycloak is configured as a client in a Security Assertion Markup Language (SAML) setup, it fails to validate the `NotOnOrAfter` timestamp within the `SubjectConfirmationData`. This allows an attacker to delay the expiration of SAML responses, potentially extending the time a response is considered valid and leading to unexpected session durations or resource consumption.

Опубликовано: 2026-01-26Изменено: 2026-04-15

CVSS 3.xНИЗКАЯ 3.1

CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N

Ссылки

CVE-2026-1486

HIGH8.8

A flaw was found in Keycloak. A vulnerability exists in the jwt-authorization-grant flow where the server fails to verify if an Identity Provider (IdP) is enabled before issuing tokens. The issuer lookup mechanism (lookupIdentityProviderFromIssuer) retrieves the IdP configuration but does not filter for isEnabled=false. If an administrator disables an IdP (e.g., due to a compromise or offboarding), an entity possessing that IdP's signing key can still generate valid JWT assertions that Keycloak accepts, resulting in the issuance of valid access tokens.

Опубликовано: 2026-02-09Изменено: 2026-04-15

CVSS 3.xВЫСОКАЯ 8.8

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Ссылки

CVE-2026-1529

HIGH8.1

A flaw was found in Keycloak. An attacker can exploit this vulnerability by modifying the organization ID and target email within a legitimate invitation token's JSON Web Token (JWT) payload. This lack of cryptographic signature verification allows the attacker to successfully self-register into an unauthorized organization, leading to unauthorized access.

Опубликовано: 2026-02-09Изменено: 2026-04-15

CVSS 3.xВЫСОКАЯ 8.1

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Ссылки

CVE-2026-1609

NONE

CVE-2026-2092

HIGH7.7

A flaw was found in Keycloak. Keycloak's Security Assertion Markup Language (SAML) broker endpoint does not properly validate encrypted assertions when the overall SAML response is not signed. An attacker with a valid signed SAML assertion can exploit this by crafting a malicious SAML response. This allows the attacker to inject an encrypted assertion for an arbitrary principal, leading to unauthorized access and potential information disclosure.

Опубликовано: 2026-03-18Изменено: 2026-03-18

CVSS 3.xВЫСОКАЯ 7.7

CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:L

Ссылки

CVE-2026-2366

LOW3.1

A flaw was found in Keycloak. An authorization bypass vulnerability in the Keycloak Admin API allows any authenticated user, even those without administrative privileges, to enumerate the organization memberships of other users. This information disclosure occurs if the attacker knows the victim's unique identifier (UUID) and the Organizations feature is enabled.

Опубликовано: 2026-03-12Изменено: 2026-04-02

CVSS 3.xНИЗКАЯ 3.1

CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

Ссылки

CVE-2026-2575

MEDIUM5.3

A flaw was found in Keycloak. An unauthenticated remote attacker can trigger an application level Denial of Service (DoS) by sending a highly compressed SAMLRequest through the SAML Redirect Binding. The server fails to enforce size limits during DEFLATE decompression, leading to an OutOfMemoryError (OOM) and subsequent process termination. This vulnerability allows an attacker to disrupt the availability of the service.

Опубликовано: 2026-03-18Изменено: 2026-03-18

CVSS 3.xСРЕДНЯЯ 5.3

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Ссылки

CVE-2026-2603

HIGH8.1

A flaw was found in Keycloak. A remote attacker could bypass security controls by sending a valid SAML response from an external Identity Provider (IdP) to the Keycloak SAML endpoint for IdP-initiated broker logins. This allows the attacker to complete broker logins even when the SAML Identity Provider is disabled, leading to unauthorized authentication.

Опубликовано: 2026-03-18Изменено: 2026-03-18

CVSS 3.xВЫСОКАЯ 8.1

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Ссылки

CVE-2026-2733

LOW3.8

A flaw was identified in the Docker v2 authentication endpoint of Keycloak, where tokens continue to be issued even after a Docker registry client has been administratively disabled. This means that turning the client “Enabled” setting to OFF does not fully prevent access. As a result, previously valid credentials can still be used to obtain authentication tokens. This weakens administrative controls and could allow unintended access to container registry resources.

Опубликовано: 2026-02-19Изменено: 2026-04-15

CVSS 3.xНИЗКАЯ 3.8

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N

Ссылки

CVE-2026-3009

HIGH8.1

A security flaw in the IdentityBrokerService.performLogin endpoint of Keycloak allows authentication to proceed using an Identity Provider (IdP) even after it has been disabled by an administrator. An attacker who knows the IdP alias can reuse a previously generated login request to bypass the administrative restriction. This undermines access control enforcement and may allow unauthorized authentication through a disabled external provider.

Опубликовано: 2026-03-05Изменено: 2026-03-24

CVSS 3.xВЫСОКАЯ 8.1

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Ссылки

CVE-2026-3047

HIGH8.8

A flaw was found in org.keycloak.broker.saml. When a disabled Security Assertion Markup Language (SAML) client is configured as an Identity Provider (IdP)-initiated broker landing target, it can still complete the login process and establish a Single Sign-On (SSO) session. This allows a remote attacker to gain unauthorized access to other enabled clients without re-authentication, effectively bypassing security restrictions.

Опубликовано: 2026-03-05Изменено: 2026-03-26

CVSS 3.xВЫСОКАЯ 8.8

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Ссылки

CVE-2026-3121

HIGH7.2

A flaw was found in Keycloak. An administrator with `manage-clients` permission can exploit a misconfiguration where this permission is equivalent to `manage-permissions`. This allows the administrator to escalate privileges and gain control over roles, users, or other administrative functions within the realm. This privilege escalation can occur when admin permissions are enabled at the realm level.

Опубликовано: 2026-03-26Изменено: 2026-04-02

CVSS 3.xВЫСОКАЯ 7.2

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Ссылки

CVE-2026-3190

MEDIUM4.3

A flaw was found in Keycloak. The User-Managed Access (UMA) 2.0 Protection API endpoint for permission tickets fails to enforce the `uma_protection` role check. This allows any authenticated user with a token issued for a resource server client, even without the `uma_protection` role, to enumerate all permission tickets in the system. This vulnerability partial leads to information disclosure.

Опубликовано: 2026-03-26Изменено: 2026-04-02

CVSS 3.xСРЕДНЯЯ 4.3

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Ссылки

CVE-2026-3911

LOW2.7

A flaw was found in Keycloak. An authenticated user with the view-users role could exploit a vulnerability in the UserResource component. By accessing a specific administrative endpoint, this user could improperly retrieve user attributes that were configured to be hidden. This unauthorized information disclosure could expose sensitive user data.

Опубликовано: 2026-03-11Изменено: 2026-04-02

CVSS 3.xНИЗКАЯ 2.7

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N

Ссылки

GHSA-37gf-gmxv-74wv

HIGH8.8

Keycloak fails to verify if an Identity Provider (IdP) is enabled before issuing tokens

Опубликовано: 2026-02-10Изменено: 2026-02-14

CVSS 3.xВЫСОКАЯ 8.8

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Ссылки

GHSA-63v5-26vq-m4vm

LOW3.1

Keycloak's missing timestamp validation allows attackers to extend SAML response validity periods

Опубликовано: 2026-01-27Изменено: 2026-03-06

CVSS 3.xНИЗКАЯ 3.1

CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N

Ссылки

GHSA-6q37-7866-h27j

LOW2.7

Keycloak Admin REST (Representational State Transfer) API does not properly enforce permissions

Опубликовано: 2025-12-10Изменено: 2026-04-02

CVSS 3.xНИЗКАЯ 2.7

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N

Ссылки

GHSA-7vw6-5q2f-7w5r

MEDIUM5.8

Keycloak’s OpenID Connect Dynamic Client Registration feature affected by Server-Side Request Forgery (SSRF)

Опубликовано: 2026-01-20Изменено: 2026-04-02

CVSS 3.xСРЕДНЯЯ 5.8

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N

Ссылки

GHSA-7xf9-4jfc-wgm4

MEDIUM6.5

Keycloak: manage-clients permission escalates to full realm admin access

Опубликовано: 2026-03-27Изменено: 2026-04-06

CVSS 3.xСРЕДНЯЯ 6.5

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

Ссылки

GHSA-8cr3-vpxx-92cx

HIGH8.8

Keycloak SAML Broken has Authentication Bypass by Primary Weakness

Опубликовано: 2026-03-06Изменено: 2026-03-07

CVSS 3.xВЫСОКАЯ 8.8

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Ссылки

GHSA-fjf4-6f34-w64q

LOW3.8

Keycloak: Missing Check on Disabled Client for Docker Registry Protocol

Опубликовано: 2026-02-19Изменено: 2026-03-06

CVSS 3.xНИЗКАЯ 3.8

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N

Ссылки

GHSA-fm6w-rrp3-2x4w

MEDIUM5.4

Keycloak Affected by Broken Access Control Vulnerability in the UserManagedPermissionService

Опубликовано: 2026-02-10Изменено: 2026-02-14

CVSS 3.xСРЕДНЯЯ 5.4

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Ссылки

GHSA-gv94-wp4h-vv8p

MEDIUM5.3

Keycloak has Incorrect Behavior Order: Authorization Before Parsing and Canonicalization

Опубликовано: 2026-01-08Изменено: 2026-03-06

CVSS 3.xСРЕДНЯЯ 5.3

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Ссылки

GHSA-hcvw-475w-8g7p

HIGH8.1

Keycloak affected by improper invitation token validation

Опубликовано: 2026-02-10Изменено: 2026-02-13

CVSS 3.xВЫСОКАЯ 8.1

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Ссылки

GHSA-m297-3jv9-m927

HIGH8.1

Keycloak allows authentication using an Identity Provider (IdP) even after it has been disabled by an administrator

Опубликовано: 2026-03-06Изменено: 2026-03-07

CVSS 3.xВЫСОКАЯ 8.1

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Ссылки

GHSA-m2w5-7xhv-w6fh

LOW3.1

Keycloak does not validate and update refresh token usage atomically

Опубликовано: 2026-01-21Изменено: 2026-04-02

CVSS 3.xНИЗКАЯ 3.1

CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N

Ссылки

GHSA-q35r-vvhv-vx5h

MEDIUM4.3

Keycloak: Missing Role Enforcement on UMA 2.0 Permission Ticket Endpoint Leads to Information Disclosure

Опубликовано: 2026-03-27Изменено: 2026-04-02

CVSS 3.xСРЕДНЯЯ 4.3

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Ссылки

GHSA-r8jr-wg88-fq5c

LOW3.1

Keycloak vulnerable to authorization bypass via the Admin API

Опубликовано: 2026-03-12Изменено: 2026-04-02

CVSS 3.xНИЗКАЯ 3.1

CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

Ссылки

GHSA-wmxr-6j5f-838p

HIGH7.7

Keycloak: Unauthorized access via improper validation of encrypted SAML assertions

Опубликовано: 2026-03-18Изменено: 2026-04-08

CVSS 3.xВЫСОКАЯ 7.7

CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:L

Ссылки

GHSA-x4p7-7chp-64hq

HIGH8.1

Keycloak: Unauthorized authentication via disabled SAML Identity Provider

Опубликовано: 2026-03-18Изменено: 2026-04-16

CVSS 3.xВЫСОКАЯ 8.1

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Ссылки

GHSA-xh32-c9wx-phrp

LOW2.7

Keycloak: Information disclosure of disabled user attributes via administrative endpoint

Опубликовано: 2026-03-11Изменено: 2026-04-02

CVSS 3.xНИЗКАЯ 2.7

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N

Ссылки

GHSA-xv6h-r36f-3gp5

MEDIUM5.3

Keycloak: Denial of Service due to excessive SAMLRequest decompression

Опубликовано: 2026-03-18Изменено: 2026-03-18

CVSS 3.xСРЕДНЯЯ 5.3

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Ссылки

Обновление пакета keycloak в ветке p10

Закрытые проблемы (40)

A flaw was found in Keycloak Admin REST (Representational State Transfer) API. This vulnerability allows information disclosure of sensitive role metadata via insufficient authorization checks on the /admin/realms/{realm}/roles endpoint.

A vulnerability has been identified in Keycloak that could lead to unauthorized information disclosure. While it requires an already authenticated user, the /admin/serverinfo endpoint can inadvertently provide sensitive environment information.

A flaw was found in Keycloak. The Keycloak Authorization header parser is overly permissive regarding the formatting of the "Bearer" authentication scheme. It accepts non-standard characters (such as tabs) as separators and tolerates case variations that deviate from RFC 6750 specifications.

Keycloak fails to verify if an Identity Provider (IdP) is enabled before issuing tokens

Keycloak's missing timestamp validation allows attackers to extend SAML response validity periods

Keycloak Admin REST (Representational State Transfer) API does not properly enforce permissions

Keycloak’s OpenID Connect Dynamic Client Registration feature affected by Server-Side Request Forgery (SSRF)

Keycloak: manage-clients permission escalates to full realm admin access

Keycloak SAML Broken has Authentication Bypass by Primary Weakness

Keycloak: Missing Check on Disabled Client for Docker Registry Protocol

Keycloak Affected by Broken Access Control Vulnerability in the UserManagedPermissionService

Keycloak has Incorrect Behavior Order: Authorization Before Parsing and Canonicalization

Keycloak affected by improper invitation token validation

Keycloak allows authentication using an Identity Provider (IdP) even after it has been disabled by an administrator

Keycloak does not validate and update refresh token usage atomically

Keycloak: Missing Role Enforcement on UMA 2.0 Permission Ticket Endpoint Leads to Information Disclosure

Keycloak vulnerable to authorization bypass via the Admin API

Keycloak: Unauthorized access via improper validation of encrypted SAML assertions

Keycloak: Unauthorized authentication via disabled SAML Identity Provider

Keycloak: Information disclosure of disabled user attributes via administrative endpoint

Keycloak: Denial of Service due to excessive SAMLRequest decompression

Закрытые ошибки (1)

Необходимо запускать сервис от непривелегированного пользователя