Keycloak Vulnerabilities: Info Disclosure and Privilege Escalation

CERT-Bund Security Advisories

Published March 18th, 2026

Detected March 19th, 2026

Summary

CERT-Bund has issued a security advisory regarding critical vulnerabilities in Keycloak versions prior to 26.5.6. These vulnerabilities allow for remote information disclosure and privilege escalation. Mitigation is available.

View original document View source feed page

What changed

CERT-Bund has released Security Advisory WID-SEC-2026-0787 detailing critical vulnerabilities in Keycloak, specifically affecting versions prior to 26.5.6. The advisory highlights that these flaws can be exploited remotely to disclose sensitive information and escalate user privileges. The base CVSS score is 9.1, indicating a critical severity.

Organizations utilizing Keycloak, particularly those running Linux operating systems, should immediately assess their versions and apply available mitigations or update to a patched version (26.5.6 or later) to prevent unauthorized access and data breaches. Failure to address these vulnerabilities could lead to significant security incidents and potential data compromise.

What to do next

Update Keycloak to version 26.5.6 or later
Implement available mitigations if immediate update is not possible

Source document (simplified)

[WID-SEC-2026-0787] Keycloak: Mehrere Schwachstellen CVSS Base Score 9.1 (kritisch) CVSS Temporal Score 7.9 (hoch) Remoteangriff ja Datum 18.03.2026 Stand 19.03.2026 Mitigation ja

Betroffene Systeme

Betriebssystem

Linux

Produktbeschreibung

Keycloak ermöglicht Single Sign-On mit Identity and Access Management für moderne Anwendungen und Dienste.

Produkte

18.03.2026
- Open Source Keycloak <26.5.6

Angriff

Ein Angreifer kann mehrere Schwachstellen in Keycloak ausnutzen, um Informationen offenzulegen, und um seine Privilegien zu erhöhen. CVE Informationen Versionshistorie Feedback zum Advisory geben