✅ Check your installed version
All known vulnerabilities
from 0, < 8.0.2
CRITICAL9.6CVE-2021-20195keycloak Self Stored Cross-site Scripting vulnerability from 0, < 13.0.0
CRITICAL9.1CVE-2019-14837keycloak vulnerable to unauthorized login via mail server setup from 0, < 8.0.0
HIGH8.8CVE-2023-4918Keycloak vulnerable to Plaintext Storage of User Password >= 22.0.2, < 22.0.3
from 0, < 12.0.0
from 0, < 11.0.0
HIGH8.8CVE-2019-10199Improper Input Validation and Cross-Site Request Forgery in Keycloak from 0, < 7.0.0
from 0, < 12.0.0
HIGH8.1CVE-2019-10201Improper Verification of Cryptographic Signature in keycloak from 0, < 7.0.0
from 0, < 4.6.0
HIGH8.1CVE-2016-8609Improper Authentication in org.keycloak:keycloak-core from 0, < 2.3.0
HIGH7.5CVE-2021-3632Keycloak allows anyone to register new security device or key for any user by using WebAuthn password-less login flow from 0, < 15.1.0
HIGH7.5CVE-2014-3651Keycloak vulnerable to uncontrolled resource consumption from 0, < 1.0.3
HIGH7.5CVE-2017-2646Keycloak vulnerable to infinite loop based Denial of Service from 0, < 2.5.5
HIGH7.3CVE-2021-20202Temporary Directory Hijacking Vulnerability in Keycloak from 0, < 13.0.0
HIGH7.2CVE-2019-10170Privilege Defined With Unsafe Actions in Keycloak from 0, < 8.0.0
HIGH7.1CVE-2024-10039Keycloak mTLS Authentication Bypass via Reverse Proxy TLS Termination from 0, < 26.0.6
MEDIUM6.8CVE-2021-20262Keycloak Missing authentication for critical function from 0, <= 12.0.4
from 0, < 24.0.0
MEDIUM6.5CVE-2023-0105Keycloak: Impersonation and lockout possible through incorrect handling of email trust from 0, < 22.0.1
MEDIUM6.5CVE-2023-1664Keycloak Untrusted Certificate Validation vulnerability from 0, < 21.1.2
MEDIUM6.5CVE-2023-0091Keycloak has lack of validation of access token on client registrations endpoint from 0, < 20.0.3
MEDIUM6.5CVE-2020-27838Keycloak discloses information without authentication from 0, < 13.0.0
from 0, < 17.0.1
from 0, < 2.5.1
MEDIUM6.1CVE-2014-3656JBoss KeyCloak Cross-site Scripting Vulnerability from 0, < 1.1.0.Beta1
from 0, <= 3.2.1.Final
>= 15.0.0, < 17.0.0
MEDIUM5.9CVE-2017-2585keycloak-core vulnerable to timing attacks against JWS token verification from 0, < 2.5.1
MEDIUM5.6CVE-2020-1744Exposure of Sensitive Information in keycloak from 0, < 9.0.1
MEDIUM5.5CVE-2020-1698Keycloak leaks sensitive information in logged exceptions from 0, < 9.0.0
MEDIUM5.4CVE-2022-0225Stored Cross-Site Scripting (XSS) in Keycloak via groups dropdown from 0, < 20.0.0
MEDIUM5.4CVE-2022-0225Stored Cross-Site Scripting (XSS) in Keycloak via groups dropdown from 0, <= 16.1.0
MEDIUM5.4CVE-2020-35509Keycloak vulnerable to Improper Certificate Validation from 0, < 14.0.0
from 0, < 9.0.0
MEDIUM5.3CVE-2020-10770Keycloak vulnerable to Server-Side Request Forgery from 0, < 13.0.0
MEDIUM4.9CVE-2018-10912Moderate severity vulnerability that affects org.keycloak:keycloak-core from 0, < 4.0.0
MEDIUM4.8CVE-2024-7318Keycloaks's One Time Passcode (OTP) is valid longer than expiration timeSeverity from 0, < 24.0.7
MEDIUM4.8CVE-2019-3875Improper Certificate Validation and Insufficient Verification of Data Authenticity in Keycloak from 0, <= 6.0.1
MEDIUM4.7CVE-2020-10686Keycloak users may be able to remove MFA from other users' devices from 0, < 9.0.2
MEDIUM4.6CVE-2023-6927keycloak-core: open redirect via "form_post.jwt" JARM response mode from 0, < 23.0.4
from 0, < 24.0.7
MEDIUM4.3CVE-2021-3856Keycloak has Files or Directories Accessible to External Parties from 0, < 15.1.0
from 0, < 9.0.2
MEDIUM4.3CVE-2019-14820Exposure of Sensitive Information to an Unauthorized Actor in Keycloak from 0, < 8.0.0
from 0, <= 26.1.2
LOW3.8CVE-2019-3868Exposure of Sensitive Information to an Unauthorized Actor in Keycloak from 0, < 6.0.0
—CVE-2020-1728Improper Restriction of Rendered UI Layers or Frames in Keycloak from 0, <= 9.0.3
—CVE-2017-12161Moderate severity vulnerability that affects org.keycloak:keycloak-core from 0, < 3.4.2
—CVE-2016-8629Moderate severity vulnerability that affects org.keycloak:keycloak-core from 0, < 2.4.0