org.keycloak:keycloak-services
Maven64 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting org.keycloak:keycloak-servicespage 2 of 2
- CVE-2026-1529HIGHCVSS 8.1EG 8.1✓ Fixed in 26.4.92026-02-09
vulnerable: 26.3.0 ... 26.4.7 (14 versions)
A flaw was found in Keycloak. An attacker can exploit this vulnerability by modifying the organization ID and target email within a legitimate invitation token's JSON Web Token (JWT) payload. This lack of cryptographic signature verificati…
- CVE-2026-2733LOWCVSS 3.8EG 3.82026-02-19
vulnerable: 1.0-alpha-1 ... 9.0.3 (220 versions)
A flaw was identified in the Docker v2 authentication endpoint of Keycloak, where tokens continue to be issued even after a Docker registry client has been administratively disabled. This means that turning the client “Enabled” setting…
- CVE-2026-3121MEDIUMCVSS 6.5EG 6.5✓ Fixed in 26.5.62026-03-26
vulnerable: 1.0-alpha-1 ... 9.0.3 (222 versions)
A flaw was found in Keycloak. An administrator with `manage-clients` permission can exploit a misconfiguration where this permission is equivalent to `manage-permissions`. This allows the administrator to escalate privileges and gain contr…
- CVE-2026-3190MEDIUMCVSS 4.3EG 4.3✓ Fixed in 26.5.62026-03-26
vulnerable: 1.0-alpha-1 ... 9.0.3 (222 versions)
A flaw was found in Keycloak. The User-Managed Access (UMA) 2.0 Protection API endpoint for permission tickets fails to enforce the `uma_protection` role check. This allows any authenticated user with a token issued for a resource server c…
- CVE-2026-3429MEDIUMCVSS 4.2EG 4.22026-03-11
vulnerable: 1.0-alpha-1 ... 9.0.3 (223 versions)
A flaw was identified in the Account REST API of Keycloak that allows a user authenticated at a lower security level to perform sensitive actions intended only for higher-assurance sessions. Specifically, an attacker who has already obtain…
- CVE-2026-37977LOWCVSS 3.7EG 3.72026-04-06
vulnerable: 1.0-alpha-1 ... 9.0.3 (224 versions)
A flaw was found in Keycloak. A remote attacker can exploit a Cross-Origin Resource Sharing (CORS) header injection vulnerability in Keycloak's User-Managed Access (UMA) token endpoint. This flaw occurs because the `azp` claim from a clien…
- CVE-2026-37980MEDIUMCVSS 6.9EG 6.92026-04-14
vulnerable: 1.0-alpha-1 ... 9.0.3 (222 versions)
A flaw was found in Keycloak, specifically in the organization selection login page. A remote attacker with `manage-realm` or `manage-organizations` administrative privileges can exploit a Stored Cross-Site Scripting (XSS) vulnerability. T…
- CVE-2026-3872HIGHCVSS 7.3EG 7.3✓ Fixed in 26.5.72026-04-02
vulnerable: 1.0-alpha-1 ... 9.0.3 (223 versions)
A flaw was found in Keycloak. This issue allows an attacker, who controls another path on the same web server, to bypass the allowed path in redirect Uniform Resource Identifiers (URIs) that use a wildcard. A successful attack may lead to …
- CVE-2026-3911LOWCVSS 2.7EG 2.72026-03-11
vulnerable: 1.0-alpha-1 ... 9.0.3 (222 versions)
A flaw was found in Keycloak. An authenticated user with the view-users role could exploit a vulnerability in the UserResource component. By accessing a specific administrative endpoint, this user could improperly retrieve user attributes …
- CVE-2026-4282HIGHCVSS 7.4EG 7.4✓ Fixed in 26.5.72026-04-02
vulnerable: 1.0-alpha-1 ... 9.0.3 (223 versions)
A flaw was found in Keycloak. The SingleUseObjectProvider, a global key-value store, lacks proper type and namespace isolation. This vulnerability allows an unauthenticated attacker to forge authorization codes. Successful exploitation can…
- CVE-2026-4325MEDIUMCVSS 5.3EG 5.3✓ Fixed in 26.5.72026-04-02
vulnerable: 1.0-alpha-1 ... 9.0.3 (223 versions)
A flaw was found in Keycloak. The SingleUseObjectProvider, a global key-value store, lacks proper type and namespace isolation. This vulnerability allows an attacker to delete arbitrary single-use entries, which can enable the replay of co…
- CVE-2026-4634HIGHCVSS 7.5EG 7.5✓ Fixed in 26.5.72026-04-02
vulnerable: 1.0-alpha-1 ... 9.0.3 (223 versions)
A flaw was found in Keycloak. An unauthenticated attacker can exploit this vulnerability by sending a specially crafted POST request with an excessively long scope parameter to the OpenID Connect (OIDC) token endpoint. This leads to high r…
- CVE-2026-4636HIGHCVSS 8.1EG 8.1✓ Fixed in 26.5.72026-04-02
vulnerable: 1.0-alpha-1 ... 9.0.3 (223 versions)
A flaw was found in Keycloak. An authenticated user with the uma_protection role can bypass User-Managed Access (UMA) policy validation. This allows the attacker to include resource identifiers owned by other users in a policy creation req…
- CVE-2026-7500MEDIUMCVSS 5.4EG 5.42026-04-30
vulnerable: 1.0-alpha-1 ... 9.0.3 (226 versions)
When Keycloak is started with `--features-disabled=account,account-api`, the Account REST API is only partially disabled. Five endpoints under the versioned path `/account/v1alpha1` remain fully functional — including both read and write…
Check whether org.keycloak:keycloak-services is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for org.keycloak:keycloak-services CVEs against the assets you own.
Start Free Scan →