Security Advisories · keycloak/keycloak · GitHub

Security Advisories

View known security vulnerabilities and report new vulnerabilities privately to maintainers.

Report a vulnerability

Impersonation via logout token exchange
GHSA-7fpj-9hr8-28vh published Apr 17, 2024 by abstractj

Low
XSS via assertion consumer service URL in SAML POST-binding flow
GHSA-8rmm-gm28-pj8q published Apr 17, 2024 by abstractj

High
Path traversal in the redirect validation
GHSA-mrv8-pqfj-7gp5 published Apr 17, 2024 by abstractj

High
Authorization Bypass
GHSA-46c8-635v-68r2 published Apr 17, 2024 by abstractj

Moderate
Log Injection during WebAuthn authentication or registration
GHSA-j628-q885-8gr5 published Apr 17, 2024 by abstractj

Low
keycloak-core: open redirect via "form_post.jwt" JARM response mode
GHSA-9vm7-v8wj-3fqw published Jan 22, 2024 by abstractj

Moderate
The redirect_uri validation logic allows for bypassing explicitly allowed hosts that would otherwise be restricted
GHSA-mpwq-j3xf-7m5w published Dec 19, 2023 by abstractj

High
Reflected XSS via wildcard in OIDC redirect_uri
GHSA-cvg2-7c3j-g36j published Dec 18, 2023 by abstractj

Moderate
Plaintext Storage of User Password
GHSA-5q66-v53q-pm35 published Sep 12, 2023 by abstractj

High
Secondary factor bypass in step-up authentication
GHSA-4f53-xh3v-g8x4 published Apr 17, 2024 by abstractj

Moderate