Vulnerability Reportkeycloak/keycloak:26.6

keycloak/keycloak:latestkeycloak/keycloak:26.6keycloak/keycloak:26.6.1-1keycloak/keycloak:26.6.1
DIGESTsha256:dea26401d06341095cc4ea9d66896200b55de5ca1daa1d2fcbe58493afa6e0ad

Executive Summary

CAUTION

This image carries significant risk; production deployment is highly discouraged without strict compensating controls. Attackers could exploit vulnerabilities like CVE-2026-39852 to bypass authorization, or CVE-2026-33870 for request smuggling, potentially leading to unauthorized access to administrative functions or other severe impacts. While the Keycloak community image is popular and immutable by digest, the presence of these 72 exposed vulnerabilities, including one rated 7.1 and 7 others at 6.0 or higher, requires careful consideration. Remediation efforts should prioritize these high-impact findings before production use.

Threat Score
53/100
CAUTION
Reputation
RELIABLE
keycloak
BaseImage/
keycloak/keycloak:26.6
Hardened
Grade
A+
Vulns
0
Verified & secured for production

Vulnerabilities

Vulnerability Log

77 total
CVE IDAdjusted SeverityPackageExploit ProbabilityRisk Context
CVE-2026-22020HIGH7.1
java-21-openjdk-headless
1:21.0.11.0.10-2.el9
No fix yet
Directly Exposed
CVE-2026-39852MEDIUM6.97
io.quarkus:quarkus-vertx-http
3.33.1
fixed in 3.20.6.1, 3.27.3.1, 3.33.1.1, 3.35.1.1
<0.1%
Theoretical Threat
Directly ExposedContext importance: HIGH
CVE-2026-22801MEDIUM6.63
java-21-openjdk-headless
1:21.0.11.0.10-2.el9
No fix yet
<0.1%
Theoretical Threat
Directly Exposed
CVE-2026-33870MEDIUM6.38
io.netty:netty-codec-http
4.1.130.Final
fixed in 4.1.132.Final, 4.2.10.Final
<0.1%
Theoretical Threat
Directly ExposedContext importance: HIGH
CVE-2026-33871MEDIUM6.38
io.netty:netty-codec-http2
4.1.130.Final
fixed in 4.1.132.Final, 4.2.11.Final
<0.1%
Theoretical Threat
Directly ExposedContext importance: HIGH
CVE-2026-5588MEDIUM6.38
org.bouncycastle:bcpkix-jdk18on
1.83
fixed in 1.84
<0.1%
Theoretical Threat
Directly ExposedContext importance: HIGH
CVE-2025-66293MEDIUM6.03
java-21-openjdk-headless
1:21.0.11.0.10-2.el9
No fix yet
0.1%
Theoretical Threat
Directly Exposed
CVE-2026-22695MEDIUM6.03
java-21-openjdk-headless
1:21.0.11.0.10-2.el9
No fix yet
<0.1%
Theoretical Threat
Directly Exposed
CVE-2026-4437MEDIUM5.52
glibc
2.34-231.el9_7.10
No fix yet
<0.1%
Theoretical Threat
Directly Exposed
CVE-2026-4437MEDIUM5.52
glibc-common
2.34-231.el9_7.10
No fix yet
<0.1%
Theoretical Threat
Directly Exposed
CVE-2026-4437MEDIUM5.52
glibc-langpack-en
2.34-231.el9_7.10
No fix yet
<0.1%
Theoretical Threat
Directly Exposed
CVE-2024-7531MEDIUM5.52
nspr
4.36.0-8.el9_4
No fix yet
<0.1%
Theoretical Threat
Directly Exposed
CVE-2024-7531MEDIUM5.52
nss
3.112.0-8.el9_4
No fix yet
<0.1%
Theoretical Threat
Directly Exposed
CVE-2024-7531MEDIUM5.52
nss-softokn
3.112.0-8.el9_4
No fix yet
<0.1%
Theoretical Threat
Directly Exposed
CVE-2024-7531MEDIUM5.52
nss-softokn-freebl
3.112.0-8.el9_4
No fix yet
<0.1%
Theoretical Threat
Directly Exposed
CVE-2024-7531MEDIUM5.52
nss-sysinit
3.112.0-8.el9_4
No fix yet
<0.1%
Theoretical Threat
Directly Exposed
CVE-2024-7531MEDIUM5.52
nss-util
3.112.0-8.el9_4
No fix yet
<0.1%
Theoretical Threat
Directly Exposed
CVE-2026-0636MEDIUM5.52
org.bouncycastle:bcprov-jdk18on
1.83
fixed in 1.84
<0.1%
Theoretical Threat
Directly Exposed
CVE-2025-59250MEDIUM5.5
com.microsoft.sqlserver:mssql-jdbc
13.2.1
fixed in 10.2.4.jre11, 11.2.4.jre11, 12.2.1.jre11, 12.6.5.jre11, 12.8.2.jre11, 12.10.2.jre11, 13.2.1.jre11
<0.1%
Theoretical Threat
Directly ExposedContext importance: MEDIUM
CVE-2025-64506MEDIUM5.18
java-21-openjdk-headless
1:21.0.11.0.10-2.el9
No fix yet
<0.1%
Theoretical Threat
Directly Exposed
CVE-2026-2100MEDIUM5.1
p11-kit-trust
0.25.3-3.el9_5
No fix yet
<0.1%
Theoretical Threat
Directly ExposedContext importance: MEDIUM
CVE-2026-5598MEDIUM5.1
org.bouncycastle:bcprov-jdk18on
1.83
fixed in 1.84
<0.1%
Theoretical Threat
Directly ExposedContext importance: MEDIUM
CVE-2026-42198MEDIUM5.1
org.postgresql:postgresql
42.7.10
fixed in 42.7.11
<0.1%
Theoretical Threat
Directly ExposedContext importance: MEDIUM
CVE-2026-5435MEDIUM5.02
glibc
2.34-231.el9_7.10
No fix yet
<0.1%
Theoretical Threat
Directly Exposed
CVE-2026-5435MEDIUM5.02
glibc-common
2.34-231.el9_7.10
No fix yet
<0.1%
Theoretical Threat
Directly Exposed
CVE-2026-5435MEDIUM5.02
glibc-langpack-en
2.34-231.el9_7.10
No fix yet
<0.1%
Theoretical Threat
Directly Exposed
CVE-2025-13151MEDIUM5.02
libtasn1
4.16.0-9.el9
No fix yet
<0.1%
Theoretical Threat
Directly Exposed
CVE-2020-12413MEDIUM5.02
nspr
4.36.0-8.el9_4
No fix yet
0.3%
Theoretical Threat
Directly Exposed
CVE-2020-12413MEDIUM5.02
nss
3.112.0-8.el9_4
No fix yet
0.3%
Theoretical Threat
Directly Exposed
CVE-2020-12413MEDIUM5.02
nss-softokn
3.112.0-8.el9_4
No fix yet
0.3%
Theoretical Threat
Directly Exposed
CVE-2020-12413MEDIUM5.02
nss-softokn-freebl
3.112.0-8.el9_4
No fix yet
0.3%
Theoretical Threat
Directly Exposed
CVE-2020-12413MEDIUM5.02
nss-sysinit
3.112.0-8.el9_4
No fix yet
0.3%
Theoretical Threat
Directly Exposed
CVE-2020-12413MEDIUM5.02
nss-util
3.112.0-8.el9_4
No fix yet
0.3%
Theoretical Threat
Directly Exposed
CVE-2026-27171MEDIUM4.67
java-21-openjdk-headless
1:21.0.11.0.10-2.el9
No fix yet
<0.1%
Theoretical Threat
Directly Exposed
CVE-2022-27943MEDIUM4.67
libgcc
11.5.0-11.el9
No fix yet
<0.1%
Theoretical Threat
Directly Exposed
CVE-2024-0232MEDIUM4.67
sqlite-libs
3.34.1-9.el9_7
No fix yet
<0.1%
Theoretical Threat
Directly Exposed
CVE-2026-27171MEDIUM4.67
zlib
1.2.11-40.el9
No fix yet
<0.1%
Theoretical Threat
Directly Exposed
CVE-2026-7500MEDIUM4.59
org.keycloak:keycloak-services
26.6.1
No fix yet
<0.1%
Theoretical Threat
Directly Exposed
CVE-2026-4046MEDIUM4.5
glibc
2.34-231.el9_7.10
No fix yet
<0.1%
Theoretical Threat
Directly Exposed
CVE-2026-4046MEDIUM4.5
glibc-common
2.34-231.el9_7.10
No fix yet
<0.1%
Theoretical Threat
Directly Exposed
CVE-2026-4046MEDIUM4.5
glibc-langpack-en
2.34-231.el9_7.10
No fix yet
<0.1%
Theoretical Threat
Directly Exposed
CVE-2026-22693MEDIUM4.5
java-21-openjdk-headless
1:21.0.11.0.10-2.el9
No fix yet
<0.1%
Theoretical Threat
Directly Exposed
CVE-2026-6860MEDIUM4.5
io.vertx:vertx-core
4.5.25
No fix yet
<0.1%
Theoretical Threat
Directly Exposed
CVE-2026-5450MEDIUM4.25
glibc
2.34-231.el9_7.10
No fix yet
<0.1%
Theoretical Threat
Directly Exposed
CVE-2026-5928MEDIUM4.25
glibc
2.34-231.el9_7.10
No fix yet
<0.1%
Theoretical Threat
Directly Exposed
CVE-2026-5450MEDIUM4.25
glibc-common
2.34-231.el9_7.10
No fix yet
<0.1%
Theoretical Threat
Directly Exposed
CVE-2026-5928MEDIUM4.25
glibc-common
2.34-231.el9_7.10
No fix yet
<0.1%
Theoretical Threat
Directly Exposed
CVE-2026-5450MEDIUM4.25
glibc-langpack-en
2.34-231.el9_7.10
No fix yet
<0.1%
Theoretical Threat
Directly Exposed
CVE-2026-5928MEDIUM4.25
glibc-langpack-en
2.34-231.el9_7.10
No fix yet
<0.1%
Theoretical Threat
Directly Exposed
CVE-2025-28164MEDIUM4.25
java-21-openjdk-headless
1:21.0.11.0.10-2.el9
No fix yet
<0.1%
Theoretical Threat
Directly Exposed
CVE-2026-25646MEDIUM4.13
java-21-openjdk-headless
1:21.0.11.0.10-2.el9
No fix yet
<0.1%
Theoretical Threat
Directly Exposed
CVE-2026-33636LOW3.88
java-21-openjdk-headless
1:21.0.11.0.10-2.el9
No fix yet
<0.1%
Theoretical Threat
Directly Exposed
CVE-2026-26740LOW3.83
java-21-openjdk-headless
1:21.0.11.0.10-2.el9
No fix yet
0.2%
Theoretical Threat
Directly Exposed
CVE-2026-33416LOW3.83
java-21-openjdk-headless
1:21.0.11.0.10-2.el9
No fix yet
<0.1%
Theoretical Threat
Directly Exposed
CVE-2026-41254LOW3.83
java-21-openjdk-headless
1:21.0.11.0.10-2.el9
No fix yet
<0.1%
Theoretical Threat
Directly Exposed
CVE-2025-64505LOW3.74
java-21-openjdk-headless
1:21.0.11.0.10-2.el9
No fix yet
<0.1%
Theoretical Threat
Directly Exposed
CVE-2026-34757LOW3.74
java-21-openjdk-headless
1:21.0.11.0.10-2.el9
No fix yet
<0.1%
Theoretical Threat
Directly Exposed
CVE-2026-4438LOW3.4
glibc
2.34-231.el9_7.10
No fix yet
<0.1%
Theoretical Threat
Directly Exposed
CVE-2026-4438LOW3.4
glibc-common
2.34-231.el9_7.10
No fix yet
<0.1%
Theoretical Threat
Directly Exposed
CVE-2026-4438LOW3.4
glibc-langpack-en
2.34-231.el9_7.10
No fix yet
<0.1%
Theoretical Threat
Directly Exposed
CVE-2025-70873LOW2.8
sqlite-libs
3.34.1-9.el9_7
No fix yet
<0.1%
Theoretical Threat
Directly Exposed
CVE-2022-41409LOW2.29
pcre2
10.40-6.el9
No fix yet
<0.1%
Theoretical Threat
Post-Exploit
CVE-2022-41409LOW2.29
pcre2-syntax
10.40-6.el9
No fix yet
<0.1%
Theoretical Threat
Post-Exploit
CVE-2025-5278LOW2.24
coreutils-single
8.32-39.el9
No fix yet
0.1%
Theoretical Threat
Post-Exploit
CVE-2023-50495NONE0
ncurses-base
6.2-12.20210508.el9
No fix yet
<0.1%
Theoretical Threat
Not Applicable
CVE-2023-50495NONE0
ncurses-libs
6.2-12.20210508.el9
No fix yet
<0.1%
Theoretical Threat
Not Applicable
CVE-2026-42583NONE0
io.netty:netty-codec
4.1.130.Final
fixed in 4.1.133.Final
Not Applicable
CVE-2026-42579NONE0
io.netty:netty-codec-dns
4.1.130.Final
fixed in 4.2.13.Final, 4.1.133.Final
Not Applicable
CVE-2026-42584NONE0
io.netty:netty-codec-http
4.1.130.Final
fixed in 4.2.13.Final, 4.1.133.Final
Not Applicable
CVE-2026-42587NONE0
io.netty:netty-codec-http
4.1.130.Final
fixed in 4.2.13.Final, 4.1.133.Final
Not Applicable
CVE-2026-41417NONE0
io.netty:netty-codec-http
4.1.130.Final
fixed in 4.1.133.Final, 4.2.13.Final
<0.1%
Theoretical Threat
Not Applicable
CVE-2026-42580NONE0
io.netty:netty-codec-http
4.1.130.Final
fixed in 4.2.13.Final, 4.1.133.Final
Not Applicable
CVE-2026-42581NONE0
io.netty:netty-codec-http
4.1.130.Final
fixed in 4.2.13.Final, 4.1.133.Final
Not Applicable
CVE-2026-42585NONE0
io.netty:netty-codec-http
4.1.130.Final
fixed in 4.2.13.Final, 4.1.133.Final
Not Applicable
CVE-2026-42587NONE0
io.netty:netty-codec-http2
4.1.130.Final
fixed in 4.2.13.Final, 4.1.133.Final
Not Applicable
CVE-2026-42578NONE0
io.netty:netty-handler-proxy
4.1.130.Final
fixed in 4.1.133.Final, 4.2.13.Final
Not Applicable
CVE-2026-42577NONE0
io.netty:netty-transport-native-epoll
4.1.130.Final
fixed in 4.2.13.Final
Not Applicable