@keycloak/keycloak-admin-client
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| semgrep | semgrep:shady-links-raw-ip | AI (semgrep): 127.0.0.1:8180 is the default local Keycloak server URL; not a remote exfiltration endpoint. | ai | |
| dependencies | unvetted-dep:camelize-ts | AI (dependencies): Legitimate utility library; stable dependency for this package. | ai | |
| dependencies | unvetted-dep:@microsoft/kiota-abstractions | AI (dependencies): Official Microsoft Kiota SDK library used for OpenAPI-generated client; expected dependency. | ai | |
| dependencies | unvetted-dep:@microsoft/kiota-http-fetchlibrary | AI (dependencies): Official Microsoft Kiota SDK library; expected dependency for this package. | ai | |
| dependencies | unvetted-dep:@microsoft/kiota-serialization-form | AI (dependencies): Official Microsoft Kiota SDK library; expected dependency for this package. | ai | |
| dependencies | unvetted-dep:@microsoft/kiota-serialization-json | AI (dependencies): Official Microsoft Kiota SDK library; expected dependency for this package. | ai | |
| dependencies | unvetted-dep:@microsoft/kiota-serialization-text | AI (dependencies): Official Microsoft Kiota SDK library; expected dependency for this package. | ai | |
| dependencies | unvetted-dep:@microsoft/kiota-serialization-multipart | AI (dependencies): Official Microsoft Kiota SDK library; expected dependency for this package. | ai |
Versions (showing 25 of 25)
| Version | Deps | Published |
|---|---|---|
| 26.6.2 | 8 / 10 | |
| 26.6.1 | 8 / 10 | |
| 26.5.7 | 2 / 9 | |
| 26.5.6 | 2 / 9 | |
| 26.5.5 | 2 / 9 | |
| 26.5.4 | 2 / 9 | |
| 26.5.3 | 2 / 9 | |
| 26.5.2 | 2 / 9 | |
| 26.5.1 | 2 / 9 | |
| 26.5.0 | 2 / 9 | |
| 26.4.7 | 2 / 9 | |
| 26.4.6 | 2 / 9 | |
| 26.4.5 | 3 / 9 | |
| 26.4.4 | 3 / 9 | |
| 26.4.2 | 3 / 9 | |
| 26.4.1 | 3 / 9 | |
| 26.4.0 | 3 / 9 | |
| 26.3.5 | 3 / 9 | |
| 26.3.4 | 3 / 9 | |
| 26.3.3 | 3 / 9 | |
| 26.3.2 | 3 / 9 | |
| 26.2.5 | 3 / 9 | |
| 26.2.4 | 3 / 9 | |
| 26.2.3 | 3 / 9 | |
| 26.2.2 | 3 / 9 |
v26.6.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v26.5.7
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v26.5.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v26.5.5
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
CVSS 3.1 (LOW) — CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N A flaw was found in Keycloak. An authorization bypass vulnerability in the Keycloak Admin API allows any authenticated user, even those without administrative privileges, to enumerate the organization memberships of other users. This information disclosure occurs if the attacker knows the victim's unique identifier (UUID) and the Organizations feature is enabled.
v26.5.4
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
CVSS 3.1 (LOW) — CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N A flaw was found in Keycloak. An authorization bypass vulnerability in the Keycloak Admin API allows any authenticated user, even those without administrative privileges, to enumerate the organization memberships of other users. This information disclosure occurs if the attacker knows the victim's unique identifier (UUID) and the Organizations feature is enabled.
v26.5.3
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
CVSS 3.1 (LOW) — CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N A flaw was found in Keycloak. An authorization bypass vulnerability in the Keycloak Admin API allows any authenticated user, even those without administrative privileges, to enumerate the organization memberships of other users. This information disclosure occurs if the attacker knows the victim's unique identifier (UUID) and the Organizations feature is enabled.
v26.5.2
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
CVSS 3.1 (LOW) — CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N A flaw was found in Keycloak. An authorization bypass vulnerability in the Keycloak Admin API allows any authenticated user, even those without administrative privileges, to enumerate the organization memberships of other users. This information disclosure occurs if the attacker knows the victim's unique identifier (UUID) and the Organizations feature is enabled.
v26.5.1
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
CVSS 3.1 (LOW) — CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N A flaw was found in Keycloak. An authorization bypass vulnerability in the Keycloak Admin API allows any authenticated user, even those without administrative privileges, to enumerate the organization memberships of other users. This information disclosure occurs if the attacker knows the victim's unique identifier (UUID) and the Organizations feature is enabled.
v26.5.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
CVSS 3.1 (LOW) — CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N A flaw was found in Keycloak. An authorization bypass vulnerability in the Keycloak Admin API allows any authenticated user, even those without administrative privileges, to enumerate the organization memberships of other users. This information disclosure occurs if the attacker knows the victim's unique identifier (UUID) and the Organizations feature is enabled.
v26.4.7
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
CVSS 3.1 (LOW) — CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N A flaw was found in Keycloak. An authorization bypass vulnerability in the Keycloak Admin API allows any authenticated user, even those without administrative privileges, to enumerate the organization memberships of other users. This information disclosure occurs if the attacker knows the victim's unique identifier (UUID) and the Organizations feature is enabled.
v26.4.6
2 findingsPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
CVSS 3.1 (LOW) — CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N A flaw was found in Keycloak. An authorization bypass vulnerability in the Keycloak Admin API allows any authenticated user, even those without administrative privileges, to enumerate the organization memberships of other users. This information disclosure occurs if the attacker knows the victim's unique identifier (UUID) and the Organizations feature is enabled.
v26.4.5
2 findingsPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
CVSS 3.1 (LOW) — CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N A flaw was found in Keycloak. An authorization bypass vulnerability in the Keycloak Admin API allows any authenticated user, even those without administrative privileges, to enumerate the organization memberships of other users. This information disclosure occurs if the attacker knows the victim's unique identifier (UUID) and the Organizations feature is enabled.
v26.4.4
2 findingsPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
CVSS 3.1 (LOW) — CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N A flaw was found in Keycloak. An authorization bypass vulnerability in the Keycloak Admin API allows any authenticated user, even those without administrative privileges, to enumerate the organization memberships of other users. This information disclosure occurs if the attacker knows the victim's unique identifier (UUID) and the Organizations feature is enabled.
v26.4.2
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
CVSS 3.1 (LOW) — CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N A flaw was found in Keycloak. An authorization bypass vulnerability in the Keycloak Admin API allows any authenticated user, even those without administrative privileges, to enumerate the organization memberships of other users. This information disclosure occurs if the attacker knows the victim's unique identifier (UUID) and the Organizations feature is enabled.
v26.4.1
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
CVSS 3.1 (LOW) — CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N A flaw was found in Keycloak. An authorization bypass vulnerability in the Keycloak Admin API allows any authenticated user, even those without administrative privileges, to enumerate the organization memberships of other users. This information disclosure occurs if the attacker knows the victim's unique identifier (UUID) and the Organizations feature is enabled.
v26.4.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
CVSS 3.1 (LOW) — CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N A flaw was found in Keycloak. An authorization bypass vulnerability in the Keycloak Admin API allows any authenticated user, even those without administrative privileges, to enumerate the organization memberships of other users. This information disclosure occurs if the attacker knows the victim's unique identifier (UUID) and the Organizations feature is enabled.
v26.3.5
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
CVSS 3.1 (LOW) — CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N A flaw was found in Keycloak. An authorization bypass vulnerability in the Keycloak Admin API allows any authenticated user, even those without administrative privileges, to enumerate the organization memberships of other users. This information disclosure occurs if the attacker knows the victim's unique identifier (UUID) and the Organizations feature is enabled.
v26.3.4
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
CVSS 3.1 (LOW) — CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N A flaw was found in Keycloak. An authorization bypass vulnerability in the Keycloak Admin API allows any authenticated user, even those without administrative privileges, to enumerate the organization memberships of other users. This information disclosure occurs if the attacker knows the victim's unique identifier (UUID) and the Organizations feature is enabled.
v26.3.3
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
CVSS 3.1 (LOW) — CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N A flaw was found in Keycloak. An authorization bypass vulnerability in the Keycloak Admin API allows any authenticated user, even those without administrative privileges, to enumerate the organization memberships of other users. This information disclosure occurs if the attacker knows the victim's unique identifier (UUID) and the Organizations feature is enabled.
v26.3.2
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
CVSS 3.1 (LOW) — CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N A flaw was found in Keycloak. An authorization bypass vulnerability in the Keycloak Admin API allows any authenticated user, even those without administrative privileges, to enumerate the organization memberships of other users. This information disclosure occurs if the attacker knows the victim's unique identifier (UUID) and the Organizations feature is enabled.
v26.2.5
2 findingsPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
CVSS 3.1 (LOW) — CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N A flaw was found in Keycloak. An authorization bypass vulnerability in the Keycloak Admin API allows any authenticated user, even those without administrative privileges, to enumerate the organization memberships of other users. This information disclosure occurs if the attacker knows the victim's unique identifier (UUID) and the Organizations feature is enabled.
v26.2.4
2 findingsPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
CVSS 3.1 (LOW) — CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N A flaw was found in Keycloak. An authorization bypass vulnerability in the Keycloak Admin API allows any authenticated user, even those without administrative privileges, to enumerate the organization memberships of other users. This information disclosure occurs if the attacker knows the victim's unique identifier (UUID) and the Organizations feature is enabled.
v26.2.3
2 findingsPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
CVSS 3.1 (LOW) — CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N A flaw was found in Keycloak. An authorization bypass vulnerability in the Keycloak Admin API allows any authenticated user, even those without administrative privileges, to enumerate the organization memberships of other users. This information disclosure occurs if the attacker knows the victim's unique identifier (UUID) and the Organizations feature is enabled.
v26.2.2
2 findingsPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
CVSS 3.1 (LOW) — CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N A flaw was found in Keycloak. An authorization bypass vulnerability in the Keycloak Admin API allows any authenticated user, even those without administrative privileges, to enumerate the organization memberships of other users. This information disclosure occurs if the attacker knows the victim's unique identifier (UUID) and the Organizations feature is enabled.