Maven CVE Archive

org.keycloak:keycloak-services CVE Vulnerabilities

All known CVEs affecting org.keycloak:keycloak-services. Kodem’s runtime-powered SCA reveals which are actually reachable in your application.

Known vulnerabilities
CVE
Summary
Severity
CVE-2026-9795
Keycloak has privilege escalation via improper scope mapping enforcement
High
CVE-2026-9803
Keycloak has an Out-of-bounds Read
Medium
CVE-2026-9802
Keycloak has Insufficient Session Expiration
Medium
CVE-2026-9798
Keycloak has an Authentication Bypass by Primary Weakness
Medium
CVE-2026-9793
Keycloak has an Improper Verification of Cryptographic Signature issue
Medium
CVE-2026-9794
Keycloak Generates an Error Message Containing Sensitive Information
Medium
CVE-2026-9792
Keycloak Vulnerable to Improper Handling of Insufficient Permissions or…
Medium
CVE-2026-9791
Keycloak Vulnerable to Incorrect Authorization
Medium
CVE-2026-9704
Keycloak Vulnerable to Improper Validation of Specified Quantity in Input
Medium
CVE-2026-9689
Keycloak Services has Improper Validation of Consistency within Input
Medium
CVE-2026-9087
Keycloak: Insufficient verification proof scoping enables identity provider…
Medium
CVE-2026-7507
Keycloak: Session fixation in OIDC login flow that can lead to account takeover
High
CVE-2026-7504
Keycloak: Open redirect when using wildcard valid redirect URIs in Keycloak
High
CVE-2026-7571
Keycloak: Access token disclosure and implicit flow bypass via forged client…
High
CVE-2026-4630
Keycloak Protection API allows authenticated clients to access and modify…
Medium
CVE-2026-37981
Keycloak Account Resources user lookup contains broken access control
Medium
CVE-2026-37982
Keycloak: Unauthorized account takeover via WebAuthn token replay
Medium
CVE-2026-37979
Keycloak: Information disclosure via OIDC token introspection endpoint audience…
Medium
CVE-2026-37978
Keycloak: Information Disclosure via evaluate-scopes Admin API
Medium
CVE-2026-8922
Keycloak: Revoked Tokens Can Remain Active When Both Realm-Level and…
Medium
CVE-2026-8830
Keycloak: Policy bypass during WebAuthn credential registration via client-side…
Medium
CVE-2026-7500
Keycloak has a Forced Browsing issue
Medium
CVE-2026-37980
Keycloak: Arbitrary code execution via Stored Cross-Site Scripting (XSS) in…
Medium
CVE-2026-4634
Keycloak: Application-Level DoS via Scope Processing
High
CVE-2026-4282
Keycloak: Privilege escalation via forged authorization codes due to…
High
CVE-2026-4325
Keycloak: Replay of action tokens via improper handling of single-use entries
Medium
CVE-2026-4636
Keycloak: UMA Policy Resource Injection Allows Unauthorized Cross-User…
High
CVE-2026-3872
Keycloak: Redirect URI validation bypass via ..;/ path traversal in OIDC auth…
High
CVE-2026-3190
Keycloak: Missing Role Enforcement on UMA 2.0 Permission Ticket Endpoint Leads…
Medium
CVE-2026-3121
Keycloak: manage-clients permission escalates to full realm admin access
Medium
CVE-2026-4628
Keycloak has Improper Access Control that allows attackers with valid…
Medium
CVE-2026-2575
Keycloak: Denial of Service due to excessive SAMLRequest decompression
Medium
CVE-2026-2092
Keycloak: Unauthorized access via improper validation of encrypted SAML…
High
CVE-2026-2603
Keycloak: Unauthorized authentication via disabled SAML Identity Provider
High
CVE-2026-3429
Keycloak: Improper Access Control Leading to MFA Deletion and Account Takeover…
Medium
CVE-2026-3009
Keycloak allows authentication using an Identity Provider (IdP) even after it…
High
CVE-2025-14778
Keycloak Affected by Broken Access Control Vulnerability in the…
Medium
CVE-2026-1486
Keycloak fails to verify if an Identity Provider (IdP) is enabled before…
High
CVE-2026-1529
Keycloak affected by improper invitation token validation
High
CVE-2025-14559
Keycloak services allows the issuance of access and refresh tokens for disabled…
Medium

Prioritize org.keycloak:keycloak-services vulnerabilities

Kodem Kai can identify which of these CVEs are reachable in your dependency tree and generate targeted fix recommendations.

Get a demo →

Stop the waste.
Protect your environment with Kodem.