Known Vulnerabilities for products from Keycloak
Listed below are 7 of the newest known vulnerabilities associated with the vendor "Keycloak".
These CVEs are retrieved based on exact matches on listed vendor information (CPE data) as well as a keyword search to ensure the newest vulnerabilities with no officially listed vendor information are still displayed.
Data on known vulnerable products is also displayed based on information from known CPEs, each product links to its respective vulnerability page.
Known Vulnerabilities
| CVE | Shortened Description | Severity | Publish Date | Last Modified |
|---|---|---|---|---|
| CVE-2026-41166 json | Not Provided | 2026-04-22 | 2026-04-23 | |
| CVE-2026-40948 json | Not Provided | 2026-04-18 | 2026-04-20 | |
| CVE-2026-37980 json | Not Provided | 2026-04-14 | 2026-04-14 | |
| CVE-2026-37977 json | Not Provided | 2026-04-06 | 2026-04-06 | |
| CVE-2026-7500 json | Not Provided | 2026-04-30 | 2026-04-30 | |
| CVE-2026-4874 json | Not Provided | 2026-03-26 | 2026-04-01 | |
| CVE-2026-4636 json | Not Provided | 2026-04-02 | 2026-04-02 | |
| CVE-2026-4634 json | Not Provided | 2026-04-02 | 2026-04-03 | |
| CVE-2026-4633 json | Not Provided | 2026-03-23 | 2026-04-01 | |
| CVE-2026-4628 json | Not Provided | 2026-03-23 | 2026-03-25 | |
| CVE-2018-10912 json | keycloak before version 4.0.0.final is vulnerable to a infinite loop in session replacement. A Keycloak cluster with multiple... | 4.9 - MEDIUM | 2018-07-23 | 2021-04-22 |
| CVE-2017-12161 json | It was found that keycloak before 3.4.2 final would permit misuse of a client-side /etc/hosts entry to spoof a URL in a passw... | 8.8 - HIGH | 2018-02-21 | 2019-10-09 |
| CVE-2017-12159 json | It was found that the cookie used for CSRF prevention in Keycloak was not unique to each session. An attacker could use this ... | Not Provided | 2017-10-26 | 2025-04-20 |
| CVE-2017-12158 json | It was found that Keycloak would accept a HOST header URL in the admin console and use it to determine web resource locations... | Not Provided | 2017-10-26 | 2025-04-20 |
| CVE-2017-7474 json | It was found that the Keycloak Node.js adapter 2.5 - 3.0 did not handle invalid tokens correctly. An attacker could use this... | Not Provided | 2017-05-12 | 2025-04-20 |
| CVE-2014-3709 json | The org.keycloak.services.resources.SocialResource.callback method in JBoss KeyCloak before 1.0.3.Final allows remote attacke... | Not Provided | 2017-10-18 | 2025-04-20 |
| CVE-2014-3651 json | JBoss KeyCloak before 1.0.3.Final allows remote attackers to cause a denial of service (resource consumption) via a large val... | Not Provided | 2017-12-29 | 2025-04-20 |
Known software with vulnerabilities from Keycloak
| Type | Vendor | Product | Version |
|---|---|---|---|
| Application | Keycloak | Keycloak-nodejs-auth-utils | 2.5.0 |