Vulnerability Reportkeycloak/keycloak:26.6

Name: keycloak/keycloak:26.6.3-0 Security Vulnerability Report
Creator: BaseImage
Keywords: keycloak/keycloak:26.6.3-0, Docker security, vulnerability scan, CVE, container security, SBOM

keycloak/keycloak:latestkeycloak/keycloak:26.6keycloak/keycloak:26.6.3-0keycloak/keycloak:26.6.3

DIGESTsha256:5fdbf2dbb5897cc34e82de49d13e23db011f9925089dbc555fc095f2c8bc1dac

Executive Summary

NEEDS_ATTENTION

This image is acceptable for production, but remediating the identified vulnerabilities is recommended to reduce the attack surface. Key findings include CVE-2026-33416, a critical libpng vulnerability that could lead to arbitrary code execution if Keycloak processes specially crafted PNG images, potentially compromising the system. Additionally, CVE-2026-45292 in OpenTelemetry could cause a denial of service due to excessive memory consumption. While the image is from a reputable community source, addressing these four high-severity exposed vulnerabilities, and the total of 45 exposed findings, is crucial for maintaining a strong security posture.

Threat Score

30/100

NEEDS_ATTENTION

Highly reliable community image from Keycloak, backed by 14M+ pulls and pinned by digest.
Four EXPOSED_SURFACE vulnerabilities with severity >= 6.0, with a maximum severity of 6.63 (CVE-2026-22801).
A critical EXPOSED_SURFACE vulnerability, CVE-2026-33416 (severity 6.38), could enable arbitrary code execution via crafted PNG images.
Another significant EXPOSED_SURFACE finding, CVE-2026-45292 (severity 6.0), may lead to denial of service through OpenTelemetry baggage processing.
A total of 45 EXPOSED_SURFACE vulnerabilities are identified.

Reputation

RELIABLE

keycloak

POPULAR COMMUNITY

High Reputation Community Image (14M+ pulls)
Pinned by digest (Immutable)

BaseImage/

keycloak/keycloak:26.6

Hardened

Grade

A+

Vulns

Verified & secured for production

Vulnerabilities

Vulnerability Log

57 total

CVE ID	Adjusted Severity	Package	Exploit Probability	Risk Context
CVE-2026-22801	MEDIUM6.63	java-21-openjdk-headless 1:21.0.11.0.10-2.el9 No fix yet	<0.1% Theoretical Threat	Directly Exposed
CVE-2026-33416	MEDIUM6.38	java-21-openjdk-headless 1:21.0.11.0.10-2.el9 No fix yet	<0.1% Theoretical Threat	Directly ExposedContext importance: HIGH
CVE-2026-22695	MEDIUM6.03	java-21-openjdk-headless 1:21.0.11.0.10-2.el9 No fix yet	<0.1% Theoretical Threat	Directly Exposed
CVE-2026-45292	MEDIUM6	io.opentelemetry:opentelemetry-api 1.57.0 fixed in 1.62.0	—	Directly ExposedContext importance: MEDIUM
CVE-2026-25646	MEDIUM5.5	java-21-openjdk-headless 1:21.0.11.0.10-2.el9 No fix yet	<0.1% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2025-59250	MEDIUM5.5	com.microsoft.sqlserver:mssql-jdbc 13.2.1 fixed in 10.2.4.jre11, 11.2.4.jre11, 12.2.1.jre11, 12.6.5.jre11, 12.8.2.jre11, 12.10.2.jre11, 13.2.1.jre11	<0.1% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2025-64506	MEDIUM5.18	java-21-openjdk-headless 1:21.0.11.0.10-2.el9 No fix yet	<0.1% Theoretical Threat	Directly Exposed
CVE-2026-33636	MEDIUM5.17	java-21-openjdk-headless 1:21.0.11.0.10-2.el9 No fix yet	<0.1% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-41254	MEDIUM5.1	java-21-openjdk-headless 1:21.0.11.0.10-2.el9 No fix yet	<0.1% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-5435	MEDIUM5.02	glibc 2.34-270.el9_8 No fix yet	<0.1% Theoretical Threat	Directly Exposed
CVE-2026-5435	MEDIUM5.02	glibc-common 2.34-270.el9_8 No fix yet	<0.1% Theoretical Threat	Directly Exposed
CVE-2026-5435	MEDIUM5.02	glibc-langpack-en 2.34-270.el9_8 No fix yet	<0.1% Theoretical Threat	Directly Exposed
CVE-2025-13151	MEDIUM5.02	libtasn1 4.16.0-9.el9 No fix yet	<0.1% Theoretical Threat	Directly Exposed
CVE-2020-12413	MEDIUM5.02	nspr 4.36.0-8.el9_4 No fix yet	0.3% Theoretical Threat	Directly Exposed
CVE-2020-12413	MEDIUM5.02	nss 3.112.0-8.el9_4 No fix yet	0.3% Theoretical Threat	Directly Exposed
CVE-2020-12413	MEDIUM5.02	nss-softokn 3.112.0-8.el9_4 No fix yet	0.3% Theoretical Threat	Directly Exposed
CVE-2020-12413	MEDIUM5.02	nss-softokn-freebl 3.112.0-8.el9_4 No fix yet	0.3% Theoretical Threat	Directly Exposed
CVE-2020-12413	MEDIUM5.02	nss-sysinit 3.112.0-8.el9_4 No fix yet	0.3% Theoretical Threat	Directly Exposed
CVE-2020-12413	MEDIUM5.02	nss-util 3.112.0-8.el9_4 No fix yet	0.3% Theoretical Threat	Directly Exposed
CVE-2025-66293	MEDIUM4.82	java-21-openjdk-headless 1:21.0.11.0.10-2.el9 No fix yet	<0.1% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-27171	MEDIUM4.67	java-21-openjdk-headless 1:21.0.11.0.10-2.el9 No fix yet	<0.1% Theoretical Threat	Directly Exposed
CVE-2021-46195	MEDIUM4.67	libgcc 11.5.0-14.el9 No fix yet	0.3% Theoretical Threat	Directly Exposed
CVE-2022-27943	MEDIUM4.67	libgcc 11.5.0-14.el9 No fix yet	<0.1% Theoretical Threat	Directly Exposed
CVE-2024-0232	MEDIUM4.67	sqlite-libs 3.34.1-10.el9_8 No fix yet	<0.1% Theoretical Threat	Directly Exposed
CVE-2026-27171	MEDIUM4.67	zlib 1.2.11-40.el9 No fix yet	<0.1% Theoretical Threat	Directly Exposed
CVE-2026-22693	MEDIUM4.5	java-21-openjdk-headless 1:21.0.11.0.10-2.el9 No fix yet	<0.1% Theoretical Threat	Directly Exposed
CVE-2026-5450	MEDIUM4.25	glibc 2.34-270.el9_8 No fix yet	<0.1% Theoretical Threat	Directly Exposed
CVE-2026-5928	MEDIUM4.25	glibc 2.34-270.el9_8 No fix yet	<0.1% Theoretical Threat	Directly Exposed
CVE-2026-5450	MEDIUM4.25	glibc-common 2.34-270.el9_8 No fix yet	<0.1% Theoretical Threat	Directly Exposed
CVE-2026-5928	MEDIUM4.25	glibc-common 2.34-270.el9_8 No fix yet	<0.1% Theoretical Threat	Directly Exposed
CVE-2026-5450	MEDIUM4.25	glibc-langpack-en 2.34-270.el9_8 No fix yet	<0.1% Theoretical Threat	Directly Exposed
CVE-2026-5928	MEDIUM4.25	glibc-langpack-en 2.34-270.el9_8 No fix yet	<0.1% Theoretical Threat	Directly Exposed
CVE-2025-28164	MEDIUM4.25	java-21-openjdk-headless 1:21.0.11.0.10-2.el9 No fix yet	<0.1% Theoretical Threat	Directly Exposed
CVE-2025-64505	LOW3.74	java-21-openjdk-headless 1:21.0.11.0.10-2.el9 No fix yet	<0.1% Theoretical Threat	Directly Exposed
CVE-2026-34757	LOW3.74	java-21-openjdk-headless 1:21.0.11.0.10-2.el9 No fix yet	<0.1% Theoretical Threat	Directly Exposed
CVE-2026-5958	LOW3.21	sed 4.8-10.el9 No fix yet	<0.1% Theoretical Threat	Post-Exploit
CVE-2025-70873	LOW2.8	sqlite-libs 3.34.1-10.el9_8 No fix yet	<0.1% Theoretical Threat	Directly Exposed
CVE-2022-41409	LOW2.29	pcre2 10.40-6.el9 No fix yet	<0.1% Theoretical Threat	Post-Exploit
CVE-2022-41409	LOW2.29	pcre2-syntax 10.40-6.el9 No fix yet	<0.1% Theoretical Threat	Post-Exploit
CVE-2025-5278	LOW2.24	coreutils-single 8.32-40.el9 No fix yet	0.1% Theoretical Threat	Post-Exploit
CVE-2024-7531	LOW1.99	nspr 4.36.0-8.el9_4 No fix yet	<0.1% Theoretical Threat	Post-Exploit
CVE-2024-7531	LOW1.99	nss 3.112.0-8.el9_4 No fix yet	<0.1% Theoretical Threat	Post-Exploit
CVE-2024-7531	LOW1.99	nss-softokn 3.112.0-8.el9_4 No fix yet	<0.1% Theoretical Threat	Post-Exploit
CVE-2024-7531	LOW1.99	nss-softokn-freebl 3.112.0-8.el9_4 No fix yet	<0.1% Theoretical Threat	Post-Exploit
CVE-2024-7531	LOW1.99	nss-sysinit 3.112.0-8.el9_4 No fix yet	<0.1% Theoretical Threat	Post-Exploit
CVE-2024-7531	LOW1.99	nss-util 3.112.0-8.el9_4 No fix yet	<0.1% Theoretical Threat	Post-Exploit
CVE-2023-50495	NONE0	ncurses-base 6.2-12.20210508.el9 No fix yet	<0.1% Theoretical Threat	Not Applicable
CVE-2023-50495	NONE0	ncurses-libs 6.2-12.20210508.el9 No fix yet	<0.1% Theoretical Threat	Not Applicable
CVE-2026-22020	NONE0	java-21-openjdk-headless 1:21.0.11.0.10-2.el9 No fix yet	—	Not Applicable
CVE-2026-44893	NONE0	io.netty:netty-codec-haproxy 4.1.133.Final fixed in 4.2.15.Final, 4.1.135.Final	—	Not Applicable
CVE-2026-47244	NONE0	io.netty:netty-codec-http2 4.1.133.Final fixed in 4.2.15.Final, 4.1.135.Final	—	Not Applicable
CVE-2026-44249	NONE0	io.netty:netty-handler 4.1.133.Final fixed in 4.2.15.Final, 4.1.135.Final	—	Not Applicable
CVE-2026-45416	NONE0	io.netty:netty-handler 4.1.133.Final fixed in 4.2.15.Final, 4.1.135.Final	—	Not Applicable
CVE-2026-45674	NONE0	io.netty:netty-resolver-dns 4.1.133.Final fixed in 4.2.15.Final, 4.1.135.Final	—	Not Applicable
CVE-2026-47691	NONE0	io.netty:netty-resolver-dns 4.1.133.Final fixed in 4.2.15.Final, 4.1.135.Final	—	Not Applicable
CVE-2026-45673	NONE0	io.netty:netty-resolver-dns 4.1.133.Final fixed in 4.2.15.Final, 4.1.135.Final	—	Not Applicable
CVE-2026-45536	NONE0	io.netty:netty-transport-native-epoll 4.1.133.Final fixed in 4.2.15.Final, 4.1.135.Final	—	Not Applicable