keycloak-26.2
Chainguard
Status
Impact
The vulnerability originates directly in Keycloak’s upstream source code, not in a third-party dependency that can be patched by bumping versions. Since the community Keycloak project only supports the latest minor line, the fix is not backported to OSS 26.2.x. Although github tags exist for more recent 26.2.x tags, these are Red Hat build of Keycloak (RHBK) productized releases, not community OSS builds. To avoid this CVE we recommend using Keycloak 26.3.3 or above.
Status
Impact
Core services vulnerability in keycloak-services affects versions <=26.3.2. No fix currently available, pending upstream fix.
Status