Components
Vulnerabilities
Pricing
MCP
API
Docs
Sign up
Login
org.keycloak/keycloak-core 26.5.4 | Vulner… | Sonatype Guide
maven
org.keycloak
keycloak-core
26.5.4
keycloak-core 26.5.4
org.keycloak
Published
Feb 20, 2026
•
Policy
compliance
maven Registry
Developer Trust Score
N/A
Recommended Version:
x.y.z
Latest version with 0 known vulnerabilities that meets your policy.
Compare Versions
Overview
Overview
Versions
226
Versions
226
Vulnerabilities
3
Vulnerabilities
3
Dependencies
7
Dependencies
7
Reset filters
Severity
Critical
(0)
High
(2)
Medium
(0)
Low
(0)
CVSS Score
0.0
10.0
EPSS Score
0.0
1.0
Malware
KEV Status
Published
Filter
Sort: Published (Newest first)
8.1
CVE-2026-3009
A security flaw in the IdentityBrokerService.performLogin endpoint of Keycloak allows authentication to proceed using an Identity Provider (IdP) even after it has been disabled by an administrator. An attacker who knows the IdP alias can reuse a previously generated login request to bypass the administrative restriction. This undermines access control enforcement and may allow unauthorized authentication through a disabled external provider.
affected
Severity
High
Published
Mar 6, 2026
8.1
CVE-2026-2603
A flaw was found in Keycloak. A remote attacker could bypass security controls by sending a valid SAML response from an external Identity Provider (IdP) to the Keycloak SAML endpoint for IdP-initiated broker logins. This allows the attacker to complete broker logins even when the SAML Identity Provider is disabled, leading to unauthorized authentication.
affected
Severity
High
Published
Mar 6, 2026
