ZLib vulnerability in Keycloak 26.5.x - CVE-2026-22184 - Remediation/Impact? #45692
-
|
We are upgrading our Keycloak container image to 26.5 (latest), but our security vulnerability scans show this newer High severity vulnerability in Keycloak dependencies (CVE-2026-22184). Understanding that this is a very recent, but impactful issue, what are plans for mitigation of this issue, or is the impact on Keycloak low if zlib decompression functionality isn't ever exposed to unauthorized users? Just need to get an idea of how to answer security team on impact or timeline for resolution. Many thanks, |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment
-
|
Answering my own question, a bug was already opened from internal trivy security scan... #45604. Per the bug comments, this issue is showing up in Keycloak as a false positive due to the openjdk dependency that includes the zlib library. Keycloak itself is likely not affected by this issue in container deployments. |
Beta Was this translation helpful? Give feedback.
Answering my own question, a bug was already opened from internal trivy security scan... #45604. Per the bug comments, this issue is showing up in Keycloak as a false positive due to the openjdk dependency that includes the zlib library. Keycloak itself is likely not affected by this issue in container deployments.