org.keycloak:keycloak-quarkus-server
Maven9 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting org.keycloak:keycloak-quarkus-serverpage 1 of 1
- CVE-2024-10451MEDIUMCVSS 5.9EG 5.9✓ Fixed in 26.0.62024-11-25
vulnerable: 25.0.0 ... 26.0.5 (12 versions)
A flaw was found in Keycloak. This issue occurs because sensitive runtime values, such as passwords, may be captured during the Keycloak build process and embedded as default values in bytecode, leading to unintended information disclosure…
- CVE-2024-10492LOWCVSS 2.7EG 2.7✓ Fixed in 26.0.62024-11-25
vulnerable: 25.0.0 ... 26.0.5 (12 versions)
A vulnerability was found in Keycloak. A user with high privileges could read sensitive information from a Vault file that is not within the expected context. This attacker must have previous high access to the Keycloak server in order to …
- CVE-2024-10973MEDIUMCVSS 5.7EG 5.7✓ Fixed in 26.0.62024-12-17
vulnerable: 25.0.0 ... 26.0.5 (12 versions)
A vulnerability was found in Keycloak. The environment option `KC_CACHE_EMBEDDED_MTLS_ENABLED` does not work and the JGroups replication configuration is always used in plain text which can allow an attacker that has access to adjacent net…
- CVE-2024-11734MEDIUMCVSS 6.5EG 6.5✓ Fixed in 26.0.82025-01-14
vulnerable: 12.0.0 ... 26.0.7 (71 versions)
A denial of service vulnerability was found in Keycloak that could allow an administrative user with the right to change realm settings to disrupt the service. This action is done by modifying any of the security headers and inserting newl…
- CVE-2024-11736MEDIUMCVSS 4.9EG 4.9✓ Fixed in 26.0.82025-01-14
vulnerable: 12.0.0 ... 26.0.7 (71 versions)
A vulnerability was found in Keycloak. Admin users may have to access sensitive server environment variables and system properties through user-configurable URLs. When configuring backchannel logout URLs or admin URLs, admin users can incl…
- CVE-2024-9666MEDIUMCVSS 4.7EG 4.7✓ Fixed in 26.0.62024-11-25
vulnerable: 25.0.0 ... 26.0.5 (12 versions)
A vulnerability was found in the Keycloak Server. The Keycloak Server is vulnerable to a denial of service (DoS) attack due to improper handling of proxy headers. When Keycloak is configured to accept incoming proxy headers, it may accept …
- CVE-2025-10939LOWCVSS 3.7EG 3.7✓ Fixed in 26.4.42025-10-28
vulnerable: 12.0.0 ... 26.4.3 (94 versions)
A flaw was found in Keycloak. The Keycloak guides recommend to not expose /admin path to the outside in case the installation is using a proxy. The issue occurs at least via ha-proxy, as it can be tricked to using relative/non-normalized p…
- CVE-2025-11537MEDIUMCVSS 5.0EG 5.0✓ Fixed in 26.5.62026-02-10
vulnerable: 12.0.0 ... 26.5.5 (104 versions)
A flaw was found in Keycloak. When the logging format is configured to a verbose, user-supplied pattern (such as the pre-defined 'long' pattern), sensitive headers including Authorization and Cookie are disclosed to the logs in cleartext. …
- CVE-2026-0976LOWCVSS 3.7EG 3.72026-01-15
vulnerable: 12.0.0 ... 26.2.5 (84 versions)
A flaw was found in Keycloak. This improper input validation vulnerability occurs because Keycloak accepts RFC-compliant matrix parameters in URL path segments, while common reverse proxy configurations may ignore or mishandle them. A remo…
Check whether org.keycloak:keycloak-quarkus-server is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for org.keycloak:keycloak-quarkus-server CVEs against the assets you own.
Start Free Scan →