Skip to content

RadicalNotion.AI

We do not sell or share your personal information

© 2026 RadicalNotion.AI

Security Data

CWE Directory
CAPEC Directory
CNA Directory
CNA Report Cards
Data Sources

Calculators

CVSS Calculator
CVSS 4.0
CVSS 3.1
CVSS 3.0
CVSS 2.0

Platform

My Vulnerabilities
Insights
Notifications
Account
Pricing

Learn

All guides
What is a CVE?
What is CVSS?
The CISA KEV catalog
What is EPSS?

Company

About us
Blog
Book a demo

Get Started

Sign up
Log in

Legal

Privacy
Terms

Security data

Weaknesses (CWE)The MITRE CWE weakness catalog
Attack Patterns (CAPEC)MITRE CAPEC attack patterns
CNAsNumbering authorities + report cards
VendorsVulnerabilities by vendor

Tools

CVSS CalculatorScore CVSS 4.0, 3.1, 3.0 & 2.0

Resources

LearnPlain-English security guides
Data SourcesHow we source CVE data

About Us Blog Pricing Book a Demo

Log in

Home
Vendors
Redhat
Build Of Keycloak

redhat build of keycloak Vulnerabilities: CVEs, CISA KEV & Security Advisories

32 CVEs

redhat build of keycloak Vulnerabilities

CVE security advisories and vulnerability history for build of keycloak by redhat.

32

Total CVEs

Published

0

In CISA KEV

Exploited in the wild

1

Public exploits

With known exploit

5.9

Avg CVSS

2024–2026

Last updated May 20, 2026

Overview

redhat build of keycloak has 32 published CVE records since 2024, of which 0 are in CISA's Known Exploited Vulnerabilities catalog and 1 have a known public exploit. The average CVSS base score across scored CVEs is 5.9.

This page aggregates every publicly disclosed vulnerability (CVE) affecting redhat build of keycloak, with a severity breakdown, the affected and patched versions, the most common weakness types, and the full CVE list.

Severity and exploitation

How the CVSS severity of redhat build of keycloak's CVEs breaks down, plus how many are exploited in the wild or have public exploit code.

Critical0

High9

Medium18

Low5

In CISA’s Known Exploited Vulnerabilities catalog

0

None of redhat build of keycloak's CVEs are currently listed in CISA's KEV catalog.

Public exploits

1

One of redhat build of keycloak's CVEs has a known public exploit available.

Affected versions and CVEs

Browse every redhat build of keycloak version named in a CVE, then pick one to see only the CVEs that affect it.

Fixed in

24.0.73 CVEs
22.0.121 CVE
22.0121 CVE
26.0.111 CVE
26.4.41 CVE
26.4.91 CVE

Find a version

32 CVEs

Sort

Keycloak: cross-session email verification proof not bound to upstream identity in first-broker-login
CVE-2026-9087
Workaround
CWE-639
Medium · CVSS 6.4
EPSS 0.0% (8th pct)2026-05-20
Keycloak: org.keycloak/keycloak-services: keycloak: policy bypass during webauthn credential registration via client-side javascript manipulation
CVE-2026-8830
Patch
CWE-603
Medium · CVSS 4.3
EPSS 0.0% (4th pct)2026-05-19
Org.keycloak.keycloak-services: improper access control on keycloak server when the account account api feature is disabled
CVE-2026-7500
Workaround
CWE-425
Medium · CVSS 5.4
EPSS 0.0% (9th pct)2026-04-30
Org.keycloak.forms.login: keycloak: keycloak: arbitrary code execution via stored cross-site scripting (xss) in organization selection login page
CVE-2026-37980
Workaround
CWE-79
Medium · CVSS 6.9
EPSS 0.0% (16th pct)2026-04-14
Keycloak: org.keycloak.protocol.oidc.grants.ciba: keycloak: information disclosure via cors header injection due to unvalidated jwt azp claim
CVE-2026-37977CWE-346
Low · CVSS 3.7
EPSS 0.0% (1th pct)2026-04-06
Keycloak: keycloak: uma policy bypass allows authenticated users to gain unauthorized access to victim-owned resources.
CVE-2026-4636
Patch
CWE-551
High · CVSS 8.1
EPSS 0.0% (2th pct)2026-04-02
Keycloak: keycloak: denial of service via excessive processing of openid connect scope parameters
CVE-2026-4634
Patch
CWE-1050
High · CVSS 7.5
EPSS 0.0% (7th pct)2026-04-02
Keycloak: keycloak: replay of action tokens via improper handling of single-use entries
CVE-2026-4325
Patch
CWE-653
Medium · CVSS 5.3
EPSS 0.0% (12th pct)2026-04-02
Keycloak: keycloak: privilege escalation via forged authorization codes due to singleuseobjectprovider isolation flaw
CVE-2026-4282
Patch
CWE-653
High · CVSS 7.4
EPSS 0.0% (6th pct)2026-04-02
Keycloak: keycloak: information disclosure due to redirect_uri validation bypass
CVE-2026-3872
Patch
Workaround
CWE-601
High · CVSS 7.3
EPSS 0.0% (2th pct)2026-04-02
Keycloak: org.keycloak/keycloak-services: keycloak: privilege escalation via manage-clients permission
CVE-2026-3121
Patch
CWE-266
Medium · CVSS 6.5
EPSS 0.0% (2th pct)2026-03-26
Keycloak: keycloak: information disclosure via improper role enforcement in uma 2.0 protection api
CVE-2026-3190
Patch
CWE-280
Medium · CVSS 4.3
EPSS 0.0% (2th pct)2026-03-26
Org.keycloak.protocol.oidc.grants: org.keycloak.services.managers: keycloak: server-side request forgery via oidc token endpoint manipulation
CVE-2026-4874CWE-918
Low · CVSS 3.1
EPSS 0.0% (1th pct)2026-03-26
Keycloak: keycloak: user enumeration via differential error messages
CVE-2026-4633
Patch
CWE-209
Low · CVSS 3.7
EPSS 0.0% (5th pct)2026-03-23
Keycloak: org.keycloak.authorization: keycloak: unauthorized resource modification due to improper access control
CVE-2026-4628CWE-284
Medium · CVSS 4.3
EPSS 0.0% (2th pct)2026-03-23
Keycloak-services: blind server-side request forgery (ssrf) via http redirect handling in keycloak
CVE-2026-4366
Workaround
CWE-918
Medium · CVSS 5.8
EPSS 0.0% (11th pct)2026-03-18
Org.keycloak.services.resources.admin.userresource: keycloak: information disclosure of disabled user attributes via administrative endpoint
CVE-2026-3911
Patch
CWE-359
Low · CVSS 2.7
EPSS 0.0% (2th pct)2026-03-11
Org.keycloak.broker.saml: keycloak saml broker: authentication bypass due to disabled saml client completing idp-initiated login
CVE-2026-3047
Patch
Workaround
CWE-305
High · CVSS 8.8
EPSS 0.4% (64th pct)2026-03-05
Org.keycloak/keycloak-services: improper enforcement of disabled identity provider in identitybrokerservice (authentication bypass)
CVE-2026-3009
Patch
CWE-863
High · CVSS 8.1
EPSS 0.0% (11th pct)2026-03-05
Org.keycloak/keycloak-services: webauthn attestation statement verification bypass
CVE-2025-12150
Patch
CWE-347
Low · CVSS 3.1
EPSS 0.0% (3th pct)2026-02-27
Org.keycloak/keycloak-services: keycloak: unauthorized modification of unmanaged user attributes by administrators
CVE-2026-0871
Patch
CWE-266
Medium · CVSS 4.9
EPSS 0.0% (2th pct)2026-02-27
Org.keycloak/keycloak-services: privilege escalation in keycloak admin console (fgapv2 enabled)
CVE-2025-7784
Patch
CWE-269
Medium · CVSS 6.5
EPSS 0.1% (26th pct)2025-07-18
Org.keycloak.authentication: two factor authentication bypass
CVE-2025-3910
Patch
Workaround
CWE-287
Medium · CVSS 5.4
EPSS 0.1% (22th pct)2025-04-29
Wildfly: wildfly vulnerable to cross-site scripting (xss)
CVE-2024-10234
Patch
CWE-79
Medium · CVSS 6.1
EPSS 0.6% (69th pct)2024-10-22
Keycloak: vulnerable redirect uri validation results in open redirec
CVE-2024-8883
Patch
CWE-601
Medium · CVSS 6.1
EPSS 6.6% (91th pct)2024-09-19
Wildfly-elytron: org.keycloak/keycloak-services: session fixation in elytron saml adapters
CVE-2024-7341
Patch
CWE-384
High · CVSS 7.1
EPSS 2.2% (85th pct)2024-09-09
Keycloak-core: one time passcode (otp) is valid longer than expiration timeseverity
CVE-2024-7318
Patch
CWE-324
Medium · CVSS 4.8
EPSS 1.2% (79th pct)2024-09-09
Keycloak-core: open redirect on account page
CVE-2024-7260
Patch
CWE-601
Medium · CVSS 6.1
EPSS 0.4% (59th pct)2024-09-09
Keycloak: potential bypass of brute force protection
CVE-2024-4629
Patch
CWE-837
Medium · CVSS 6.5
EPSS 0.4% (64th pct)2024-09-03
Undertow: improper state management in proxy protocol parsing causes information leakage
CVE-2024-7885
Patch
CWE-362
High · CVSS 7.5
EPSS 10.7% (93th pct)2024-08-21

Showing 30 of 32

Common weakness types

The CWE weakness categories most often found in redhat build of keycloak CVEs. Follow any weakness for its full explanation.

CWE-601URL Redirection to Untrusted Site ('Open Redirect')3 CVEs
CWE-287Improper Authentication2 CVEs
CWE-266Incorrect Privilege Assignment2 CVEs
CWE-653Improper Isolation or Compartmentalization2 CVEs
CWE-79Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')2 CVEs
CWE-918Server-Side Request Forgery (SSRF)2 CVEs
CWE-284Improper Access Control1 CVE
CWE-280Improper Handling of Insufficient Permissions or Privileges1 CVE

Disclosure activity by year

How many redhat build of keycloak CVEs were published each year.

2024

9

2025

2

2026

21

Other redhat products

Browse vulnerabilities for other products by redhat.

enterprise linux2,124 CVEs enterprise linux desktop1,947 CVEs enterprise linux server1,914 CVEs enterprise linux workstation1,850 CVEs enterprise linux server aus1,062 CVEs enterprise linux eus787 CVEs enterprise linux server tus770 CVEs enterprise linux server eus625 CVEs

All redhat vulnerabilities

Frequently asked questions

Common questions about redhat build of keycloak vulnerabilities.

How many CVEs does redhat build of keycloak have?

redhat build of keycloak has 32 published CVE records since 2024.

How many redhat build of keycloak CVEs are in CISA KEV?

None of redhat build of keycloak's CVEs are currently listed in CISA's Known Exploited Vulnerabilities catalog.

Are there public exploits for redhat build of keycloak vulnerabilities?

Yes — 1 of redhat build of keycloak's CVEs have a known public exploit.

Which versions of redhat build of keycloak are affected?

6 distinct redhat build of keycloak versions are named across its CVEs. Use the version filter above to see the CVEs affecting a specific version.

What are the most common weakness types in redhat build of keycloak CVEs?

redhat build of keycloak's CVEs most often map to these CWE weakness types: CWE-601 (URL Redirection to Untrusted Site ('Open Redirect')), CWE-287 (Improper Authentication), CWE-266 (Incorrect Privilege Assignment), CWE-653 (Improper Isolation or Compartmentalization).

What is the average severity of redhat build of keycloak CVEs?

The average CVSS base score across redhat build of keycloak's scored CVEs is 5.9.

References

All redhat vulnerabilities
The MITRE CVE Program (opens in a new tab)
Learn: What is a CVE?
CWE directory: the weakness types these CVEs map to

Vulnerability data is sourced from the CVE Program; severity, KEV, and exploit signals are aggregated by RadicalNotion.AI.

Track redhat build of keycloak vulnerabilities

Monitor new redhat build of keycloak vulnerabilities as they are disclosed, with AI-written analysis and remediation guidance.

Start free See pricing

On this page

Overview
Severity and exploitation
Affected versions and CVEs
Common weakness types
Disclosure activity
Other products
FAQ
References