Security Advisories · keycloak/keycloak · GitHub

Security Advisories

View known security vulnerabilities and report new vulnerabilities privately to maintainers.

Report a vulnerability

Impersonation and lockout possible through incorrect handling of email trust
GHSA-c7xw-p58w-h6fj published Jul 18, 2023 by stianst

Moderate
Client Spoofing within the Keycloak Device Authorisation Grant
GHSA-f5h4-wmp5-xhg6 published Jun 28, 2023 by abstractj

Moderate
Untrusted Certificate Validation
GHSA-5cc8-pgp5-7mpm published Jun 28, 2023 by abstractj

Low
Improper Client Certificate Validation for OAuth/OpenID clients
GHSA-3qh5-qqj2-c78f published Jun 28, 2023 by abstractj

High
User impersonation via stolen UUID code
GHSA-9g98-5mj6-f9mv published Mar 2, 2023 by stianst

High
XSS on impersonation under specific circumstances
GHSA-w354-2f3c-qvg9 published Feb 27, 2023 by abstractj

Moderate
Lack of validation of access token on client registrations endpoint
GHSA-v436-q368-hvgg published Jan 12, 2023 by abstractj

Low
Session takeover with OIDC offline refreshtokens
GHSA-97g8-xfvw-q4hg published Dec 13, 2022 by abstractj

Moderate
Path traversal via double URL encoding
GHSA-g8q8-fggx-9r3q published Dec 13, 2022 by abstractj

High
Reflected XSS on OpenID connect login service
GHSA-9hhc-pj4w-w5rv published Feb 27, 2023 by abstractj

High