org.keycloak:keycloak-server-spi-private

Maven3 known CVEs affecting this package

Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.

CVEs affecting org.keycloak:keycloak-server-spi-privatepage 1 of 1

CVE-2020-10776MEDIUMCVSS 4.8EG 4.8✓ Fixed in 12.0.0
2020-11-17
vulnerable: 10.0.0 ... 9.0.3 (57 versions)
A flaw was found in Keycloak before version 12.0.0, where it is possible to add unsafe schemes for the redirect_uri parameter. This flaw allows an attacker to perform a Cross-site scripting attack.
CVE-2023-2585LOWCVSS 3.5EG 3.5✓ Fixed in 21.1.2
2023-12-21
vulnerable: 10.0.0 ... 9.0.3 (93 versions)
Keycloak's device authorization grant does not correctly validate the device code and client ID. An attacker client could abuse the missing validation to spoof a client consent request and trick an authorization admin into granting consent…
CVE-2026-3190MEDIUMCVSS 4.3EG 4.3✓ Fixed in 26.5.6
2026-03-26
vulnerable: 10.0.0 ... 9.0.3 (162 versions)
A flaw was found in Keycloak. The User-Managed Access (UMA) 2.0 Protection API endpoint for permission tickets fails to enforce the `uma_protection` role check. This allows any authenticated user with a token issued for a resource server c…

Check whether org.keycloak:keycloak-server-spi-private is used in your infrastructure

EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for org.keycloak:keycloak-server-spi-private CVEs against the assets you own.

Start Free Scan →