Skip to content

RadicalNotion.AI

We do not sell or share your personal information

© 2026 RadicalNotion.AI

Security Data

CWE Directory
CAPEC Directory
CNA Directory
CNA Report Cards
Data Sources

Calculators

CVSS Calculator
CVSS 4.0
CVSS 3.1
CVSS 3.0
CVSS 2.0

Platform

My Vulnerabilities
Insights
Notifications
Account
Pricing

Learn

All guides
What is a CVE?
What is CVSS?
The CISA KEV catalog
What is EPSS?

Company

About us
Blog
Book a demo

Get Started

Sign up
Log in

Legal

Privacy
Terms

Security data

Weaknesses (CWE)The MITRE CWE weakness catalog
Attack Patterns (CAPEC)MITRE CAPEC attack patterns
CNAsNumbering authorities + report cards
VendorsVulnerabilities by vendor

Tools

CVSS CalculatorScore CVSS 4.0, 3.1, 3.0 & 2.0

Resources

LearnPlain-English security guides
Data SourcesHow we source CVE data

About Us Blog Pricing Book a Demo

Log in

Home
Vendors
Red Hat
Red Hat Build Of Keycloak

Red Hat Build of Keycloak Vulnerabilities: CVEs, CISA KEV & Security Advisories

70 CVEs

Red Hat Build of Keycloak Vulnerabilities

CVE security advisories and vulnerability history for Red Hat Build of Keycloak by Red Hat.

70

Total CVEs

Published

0

In CISA KEV

Exploited in the wild

1

Public exploits

With known exploit

5.6

Avg CVSS

2023–2026

Last updated June 5, 2026

Overview

Red Hat Build of Keycloak has 70 published CVE records since 2023, of which 0 are in CISA's Known Exploited Vulnerabilities catalog and 1 have a known public exploit. The average CVSS base score across scored CVEs is 5.6.

This page aggregates every publicly disclosed vulnerability (CVE) affecting Red Hat Build of Keycloak, with a severity breakdown, the affected and patched versions, the most common weakness types, and the full CVE list.

Severity and exploitation

How the CVSS severity of Red Hat Build of Keycloak's CVEs breaks down, plus how many are exploited in the wild or have public exploit code.

Critical0

High17

Medium41

Low12

In CISA’s Known Exploited Vulnerabilities catalog

0

None of Red Hat Build of Keycloak's CVEs are currently listed in CISA's KEV catalog.

Public exploits

1

One of Red Hat Build of Keycloak's CVEs has a known public exploit available.

Affected versions and CVEs

Browse every Red Hat Build of Keycloak version named in a CVE, then pick one to see only the CVEs that affect it.

Default status

All versions36 CVEs

Find a version

70 CVEs

Sort

Keycloak: keycloak: information disclosure due to user profile permission bypass
CVE-2026-9088CWE-1220
Low · CVSS 2.7
EPSS 0.0% (1th pct)2026-06-05
Keycloak: keycloak: unauthorized account access via replayed refresh tokens after cluster restart
CVE-2026-9802CWE-613
Medium · CVSS 6.8
EPSS 0.0% (13th pct)2026-05-28
Keycloak: keycloak: denial of service via malformed authorization header
CVE-2026-9803CWE-125
Medium · CVSS 5.3
EPSS 0.1% (27th pct)2026-05-28
Keycloak: keycloak: denial of service via malformed ldap password policy response
CVE-2026-9801
Workaround
CWE-1284
Medium · CVSS 4.9
EPSS 0.2% (48th pct)2026-05-28
Keycloak: keycloak: brute-force protection bypass in ciba flow
CVE-2026-9798
Workaround
CWE-305
Medium · CVSS 4.3
EPSS 0.1% (17th pct)2026-05-28
Keycloak: keycloak: privilege escalation via time-of-check to time-of-use (toctou) vulnerability
CVE-2026-9796CWE-367
Medium · CVSS 6.5
EPSS 0.0% (8th pct)2026-05-28
Keycloak: keycloak: privilege escalation via improper scope mapping enforcement
CVE-2026-9795
Workaround
CWE-266
High · CVSS 7.3
EPSS 0.0% (11th pct)2026-05-28
Keycloak: keycloak: information disclosure via saml ecp endpoint
CVE-2026-9794CWE-209
Medium · CVSS 5.3
EPSS 0.0% (12th pct)2026-05-28
Keycloak: keycloak: security restriction bypass allows unauthorized ropc token acquisition
CVE-2026-9792
Workaround
CWE-280
Medium · CVSS 6.5
EPSS 0.0% (11th pct)2026-05-28
Keycloak: keycloak: security policy bypass in jwe-encrypted request object processing
CVE-2026-9793CWE-347
Medium · CVSS 5.9
EPSS 0.0% (2th pct)2026-05-28
Keycloak-rhel9: organization data leak after feature disabled in keycloak
CVE-2026-9791
Workaround
CWE-863
Medium · CVSS 4.3
EPSS 0.0% (8th pct)2026-05-28
Keycloak: keycloak: privilege escalation due to oversized subject_token jwt
CVE-2026-9704
Workaround
CWE-1284
Medium · CVSS 6.8
EPSS 0.0% (14th pct)2026-05-27
Keycloak: org.keycloak.protocol.oidc: http parameter pollution in oidc redirect uri allows response parameter duplication - #ghi-604
CVE-2026-9689CWE-1288
Medium · CVSS 4.2
EPSS 0.1% (23th pct)2026-05-27
Keycloak: cross-session email verification proof not bound to upstream identity in first-broker-login
CVE-2026-9087
Workaround
CWE-639
Medium · CVSS 6.4
EPSS 0.0% (8th pct)2026-05-20
Org.keycloak/keycloak-services: keycloak: org.keycloak.protocol.oidc: security flaw in org.keycloak/keycloak-services
CVE-2026-8922CWE-303
Medium · CVSS 5.4
EPSS 0.0% (1th pct)2026-05-19
Keycloak: org.keycloak/keycloak-services: keycloak: policy bypass during webauthn credential registration via client-side javascript manipulation
CVE-2026-8830
Patch
CWE-603
Medium · CVSS 4.3
EPSS 0.0% (4th pct)2026-05-19
Org.keycloak.keycloak-services: improper access control on keycloak server when the account account api feature is disabled
CVE-2026-7500
Workaround
CWE-425
Medium · CVSS 5.4
EPSS 0.0% (9th pct)2026-04-30
Org.keycloak.forms.login: keycloak: keycloak: arbitrary code execution via stored cross-site scripting (xss) in organization selection login page
CVE-2026-37980
Workaround
CWE-79
Medium · CVSS 6.9
EPSS 0.0% (16th pct)2026-04-14
Keycloak: org.keycloak.protocol.oidc.grants.ciba: keycloak: information disclosure via cors header injection due to unvalidated jwt azp claim
CVE-2026-37977CWE-346
Low · CVSS 3.7
EPSS 0.0% (1th pct)2026-04-06
Org.keycloak.protocol.oidc.grants: org.keycloak.services.managers: keycloak: server-side request forgery via oidc token endpoint manipulation
CVE-2026-4874CWE-918
Low · CVSS 3.1
EPSS 0.0% (1th pct)2026-03-26
Keycloak: keycloak: user enumeration via differential error messages
CVE-2026-4633
Patch
CWE-209
Low · CVSS 3.7
EPSS 0.0% (5th pct)2026-03-23
Keycloak: org.keycloak.authorization: keycloak: unauthorized resource modification due to improper access control
CVE-2026-4628CWE-284
Medium · CVSS 4.3
EPSS 0.0% (2th pct)2026-03-23
Keycloak-services: blind server-side request forgery (ssrf) via http redirect handling in keycloak
CVE-2026-4366
Workaround
CWE-918
Medium · CVSS 5.8
EPSS 0.0% (11th pct)2026-03-18
Org.keycloak.services.resources.account: improper access control leading to mfa deletion and account takeover in keycloak account rest api
CVE-2026-3429
Patch
CWE-284
Medium · CVSS 4.2
EPSS 0.0% (4th pct)2026-03-11
Org.keycloak/keycloak-services: keycloak: missing check on disabled client for docker registry protocol
CVE-2026-2733
Patch
CWE-285
Low · CVSS 3.8
EPSS 0.0% (10th pct)2026-02-19
Keycloak-server: sensitive headers shown in the http access logs
CVE-2025-11537
Patch
CWE-117
Medium · CVSS 5.0
EPSS 0.0% (0th pct)2026-02-10
Keycloak: blind server-side request forgery (ssrf) via ciba backchannel notification endpoint in keycloak
CVE-2026-1518
Workaround
CWE-918
Low · CVSS 2.7
EPSS 0.0% (2th pct)2026-02-02
Undertow: outofmemoryerror in httpservletrequestimpl.getparameternames() can cause remote dos attacks
CVE-2024-4027
Patch
CWE-20
High · CVSS 7.5
EPSS 0.4% (60th pct)2026-01-30
Org.keycloak/keycloak-services: keycloak saml brokering: response delay due to unchecked notonorafter in subjectconfirmationdata
CVE-2026-1190
Patch
CWE-112
Low · CVSS 3.1
EPSS 0.0% (7th pct)2026-01-26
Org.keycloak.protocol.oidc: blind server-side request forgery (ssrf) in keycloak oidc dynamic client registration via jwks_uri
CVE-2026-1180
Patch
CWE-918
Medium · CVSS 5.8
EPSS 0.0% (4th pct)2026-01-20

Showing 30 of 70

Common weakness types

The CWE weakness categories most often found in Red Hat Build of Keycloak CVEs. Follow any weakness for its full explanation.

CWE-918Server-Side Request Forgery (SSRF)4 CVEs
CWE-284Improper Access Control4 CVEs
CWE-20Improper Input Validation4 CVEs
CWE-770Allocation of Resources Without Limits or Throttling3 CVEs
CWE-401Missing Release of Memory after Effective Lifetime3 CVEs
CWE-79Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')3 CVEs
CWE-287Improper Authentication2 CVEs
CWE-347Improper Verification of Cryptographic Signature2 CVEs

Disclosure activity by year

How many Red Hat Build of Keycloak CVEs were published each year.

2023

1

2024

25

2025

13

2026

31

Other Red Hat products

Browse vulnerabilities for other products by Red Hat.

Red Hat Enterprise Linux 9678 CVEs Red Hat Enterprise Linux 8672 CVEs Red Hat Enterprise Linux 7581 CVEs Red Hat Enterprise Linux 6537 CVEs Red Hat Enterprise Linux 10386 CVEs Red Hat OpenShift Container Platform 4188 CVEs Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support129 CVEs Red Hat Enterprise Linux 9.4 Extended Update Support118 CVEs

All Red Hat vulnerabilities

Frequently asked questions

Common questions about Red Hat Build of Keycloak vulnerabilities.

How many CVEs does Red Hat Red Hat Build of Keycloak have?

Red Hat Red Hat Build of Keycloak has 70 published CVE records since 2023.

How many Red Hat Red Hat Build of Keycloak CVEs are in CISA KEV?

None of Red Hat Red Hat Build of Keycloak's CVEs are currently listed in CISA's Known Exploited Vulnerabilities catalog.

Are there public exploits for Red Hat Red Hat Build of Keycloak vulnerabilities?

Yes — 1 of Red Hat Red Hat Build of Keycloak's CVEs have a known public exploit.

Which versions of Red Hat Red Hat Build of Keycloak are affected?

1 distinct Red Hat Red Hat Build of Keycloak version is named across its CVEs. Use the version filter above to see the CVEs affecting a specific version.

What are the most common weakness types in Red Hat Red Hat Build of Keycloak CVEs?

Red Hat Red Hat Build of Keycloak's CVEs most often map to these CWE weakness types: CWE-918 (Server-Side Request Forgery (SSRF)), CWE-284 (Improper Access Control), CWE-20 (Improper Input Validation), CWE-770 (Allocation of Resources Without Limits or Throttling).

What is the average severity of Red Hat Red Hat Build of Keycloak CVEs?

The average CVSS base score across Red Hat Red Hat Build of Keycloak's scored CVEs is 5.6.

References

All Red Hat vulnerabilities
The MITRE CVE Program (opens in a new tab)
Learn: What is a CVE?
CWE directory: the weakness types these CVEs map to

Vulnerability data is sourced from the CVE Program; severity, KEV, and exploit signals are aggregated by RadicalNotion.AI.

Track Red Hat Build of Keycloak vulnerabilities

Monitor new Red Hat Build of Keycloak vulnerabilities as they are disclosed, with AI-written analysis and remediation guidance.

Start free See pricing

On this page

Overview
Severity and exploitation
Affected versions and CVEs
Common weakness types
Disclosure activity
Other products
FAQ
References