org.keycloak:keycloak-services@26.4.6

  • latest version

    26.6.4

  • first published

    12 years ago

  • latest version published

    8 days ago

  • licenses detected

  • package registry

  • Direct Vulnerabilities

    Known vulnerabilities in the org.keycloak:keycloak-services package. This does not include vulnerabilities belonging to this package’s dependencies.

    Fix vulnerabilities automatically

    Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

    Fix for free
    VulnerabilityVulnerable Version
    • H
    Authorization Bypass Through User-Controlled Key

    org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

    Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the addChild endpoint in the Admin REST API when Fine-Grained Admin Permissions v2 are enabled. An attacker with delegated manage-members permissions on a low-privilege group can bypass authorization checks to reparent any group, including those with elevated privileges, under their control. This enables the attacker to reset passwords of members in the targeted group and potentially take over the entire realm by compromising privileged accounts.

    How to fix Authorization Bypass Through User-Controlled Key?

    Upgrade org.keycloak:keycloak-services to version 26.4.13, 26.6.4 or higher.

    [,26.4.13)[26.5.0,26.6.4)
    • M
    Directory Traversal

    org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

    Affected versions of this package are vulnerable to Directory Traversal via the keystore parameter when creating a key provider component. An attacker can determine the existence and readability of files on the server by submitting crafted filesystem paths. This is only exploitable if the attacker possesses the "manage-realm" administrative role.

    How to fix Directory Traversal?

    Upgrade org.keycloak:keycloak-services to version 26.4.13, 26.6.4 or higher.

    [,26.4.13)[26.5.0,26.6.4)
    • M
    Insufficient Session Expiration

    org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

    Affected versions of this package are vulnerable to Insufficient Session Expiration via the Registration Access Token process. An attacker can gain unauthorized access to resources and modify client configurations by using a previously issued token to re-enable a disabled client, reset its secret, and restore OAuth client_credentials capability, thereby bypassing administrative controls.

    How to fix Insufficient Session Expiration?

    Upgrade org.keycloak:keycloak-services to version 26.4.13, 26.6.4 or higher.

    [,26.4.13)[26.5.0,26.6.4)
    • H
    Cross-site Scripting (XSS)

    org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

    Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the client URI validation process. An attacker can execute arbitrary scripts in the context of the application by registering a malicious client with a specially crafted redirect URI using mixed-case javascript: or data: schemes and tricking a victim into interacting with a crafted link, such as during the logout flow. This is only exploitable if the attacker has administrative privileges with manage-client permission or access to client registration endpoints, and user interaction occurs.

    How to fix Cross-site Scripting (XSS)?

    Upgrade org.keycloak:keycloak-services to version 26.4.13, 26.6.4 or higher.

    [,26.4.13)[26.5.0,26.6.4)
    • H
    Incorrect Privilege Assignment

    org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

    Affected versions of this package are vulnerable to Incorrect Privilege Assignment in the Identity Provider mapper process. An attacker can gain unauthorized administrative privileges by creating a hardcoded role mapping that assigns elevated roles to themselves or others, thereby bypassing intended authorization checks.

    How to fix Incorrect Privilege Assignment?

    There is no fixed version for org.keycloak:keycloak-services.

    [0,)
    • H
    Improper Verification of Cryptographic Signature

    org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

    Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature via the JWT Authorization Grant flow due to algorithm confusion in signature verification. An attacker can gain unauthorized access and potentially escalate privileges by forging assertions and creating unauthorized access tokens.

    How to fix Improper Verification of Cryptographic Signature?

    A fix was pushed into the master branch but not yet published.

    [0,)
    • M
    Insufficient Granularity of Access Control

    org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

    Affected versions of this package are vulnerable to Insufficient Granularity of Access Control in the getMembers() methods that serve the group members endpoint. An admin user with delegated access to read group memberships and users can read user profile attributes that are explicitly configured to be denied by using their delegated administrative access to expose those values over the group membership API.

    How to fix Insufficient Granularity of Access Control?

    Upgrade org.keycloak:keycloak-services to version 26.6.3 or higher.

    [,26.6.3)
    • M
    Information Exposure

    org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

    Affected versions of this package are vulnerable to Information Exposure via the SAML ECP endpoint when specially crafted SOAP requests are sent with varying client IDs. An attacker can obtain protocol type information associated with different client IDs by analyzing the faultstrings in the responses.

    How to fix Information Exposure?

    Upgrade org.keycloak:keycloak-services to version 26.6.3 or higher.

    [2.0.0.Final,26.6.3)
    • H
    Improper Validation of Specified Quantity in Input

    org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

    Affected versions of this package are vulnerable to Improper Validation of Specified Quantity in Input in the TokenEndpoint endpoint when an oversized subject_token JWT exceeding 4000 characters is submitted. An attacker can gain unintended service account permissions by exploiting the fallback to client credentials that occurs when the oversized token is silently dropped.

    How to fix Improper Validation of Specified Quantity in Input?

    Upgrade org.keycloak:keycloak-services to version 26.6.3 or higher.

    [,26.6.3)
    • M
    Incorrect Privilege Assignment

    org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

    Affected versions of this package are vulnerable to Incorrect Privilege Assignment via improper enforcement of scope mapping in the Fine-Grained Admin Permissions (FGAPv2) feature due to ScopeMappedResource and ScopeMappedClientResource write endpoints missing a call to requireMapClientScope per role. An attacker can gain unauthorized access to privileged roles by injecting arbitrary realm roles into a client's scope, which are then projected into a user's authentication token upon login through the compromised client. This is only exploitable if Fine-Grained Admin Permissions (FGAPv2) are enabled and the attacker has fine-grained client management permissions, and a privileged user subsequently authenticates through the affected client.

    How to fix Incorrect Privilege Assignment?

    Upgrade org.keycloak:keycloak-services to version 26.6.3 or higher.

    [26.2.0,26.6.3)
    • L
    Improper Validation of Consistency within Input

    org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

    Affected versions of this package are vulnerable to Improper Validation of Consistency within Input via the authentication process when a client is configured with a wildcard redirect URI. An attacker can cause the client application to incorrectly process attacker-controlled OIDC response parameters by crafting a malicious authorization URL and tricking a user into clicking it.

    How to fix Improper Validation of Consistency within Input?

    A fix was pushed into the master branch but not yet published.

    [0,)
    • H
    Improper Verification of Cryptographic Signature

    org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

    Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature via the requestObjectSignatureAlg policy bypass during the processing of JWE-encrypted request objects containing raw JSON plaintext. An attacker can submit unauthorized claims by crafting specially formed JWE-encrypted request objects, potentially compromising data integrity within the OpenID Connect authorization flow.

    How to fix Improper Verification of Cryptographic Signature?

    There is no fixed version for org.keycloak:keycloak-services.

    [0,)
    • H
    Insufficient Session Expiration

    org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

    Affected versions of this package are vulnerable to Insufficient Session Expiration due to the startupTime reset during server restart when revokeRefreshToken=true and persistent session storage is enabled. An attacker can gain unauthorized access to user accounts by replaying a previously revoked refresh token that was captured before the restart.

    How to fix Insufficient Session Expiration?

    Upgrade org.keycloak:keycloak-services to version 26.6.3 or higher.

    [,26.6.3)
    • L
    Authentication Bypass by Primary Weakness

    org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

    Affected versions of this package are vulnerable to Authentication Bypass by Primary Weakness via the Client-Initiated Backchannel Authentication (CIBA) flow. An attacker can continue authentication attempts and obtain tokens by exploiting the CIBA flow even when a user account is locked due to brute-force protection. This is only exploitable if CIBA is explicitly enabled and configured, and the user approves the authentication request on their device.

    How to fix Authentication Bypass by Primary Weakness?

    Upgrade org.keycloak:keycloak-services to version 26.6.3 or higher.

    [,26.6.3)
    • M
    Out-of-bounds Read

    org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

    Affected versions of this package are vulnerable to Out-of-bounds Read via the authorization header parsing in the ClientRegistrationAuth component. An attacker can cause a temporary disruption of service by sending a specially crafted request with a malformed 'Authorization: Bearer' header, which triggers an ArrayIndexOutOfBoundsException and results in an HTTP 500 error.

    How to fix Out-of-bounds Read?

    Upgrade org.keycloak:keycloak-services to version 26.6.3 or higher.

    [9.0.0,26.6.3)
    • H
    Time-of-check Time-of-use (TOCTOU) Race Condition

    org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

    Affected versions of this package are vulnerable to Time-of-check Time-of-use (TOCTOU) Race Condition in the role rename endpoint. An attacker can gain unauthorized administrative privileges by exploiting a timing window between permission checks and their enforcement. The attacker can escalate their access to realm-wide administrative control, even after their original permissions are revoked and across system reboots.

    How to fix Time-of-check Time-of-use (TOCTOU) Race Condition?

    A fix was pushed into the master branch but not yet published.

    [0,)
    • H
    Incorrect Authorization

    org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

    Affected versions of this package are vulnerable to Incorrect Authorization via the user-facing APIs when the Organizations feature is disabled. An attacker can access organization membership data and obtain tokens containing organization claims by making authenticated requests, even after an administrator has disabled the feature at the realm level.

    How to fix Incorrect Authorization?

    Upgrade org.keycloak:keycloak-services to version 26.6.3 or higher.

    [,26.6.3)
    • M
    Improper Handling of Insufficient Permissions or Privileges

    org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

    Affected versions of this package are vulnerable to Improper Handling of Insufficient Permissions or Privileges in the org.keycloak.protocol.oidc component when specific condition providers such as client-type, client-roles, client-attributes, or client-scopes are used. An attacker can gain unauthorized access and obtain authentication tokens by bypassing configured policy restrictions through Resource Owner Password Credentials (ROPC) grants, even when policies are set to block such requests. This is only exploitable if client policies rely on these condition providers to enforce ROPC grant rejection.

    How to fix Improper Handling of Insufficient Permissions or Privileges?

    Upgrade org.keycloak:keycloak-services to version 26.6.3 or higher.

    [,26.6.3)
    • M
    Incorrect Implementation of Authentication Algorithm

    org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

    Affected versions of this package are vulnerable to Incorrect Implementation of Authentication Algorithm through the TokenManager and OIDC endpoint token checks in the access token introspection, refresh token, and userinfo paths. An attacker can keep using a token after a realm-level not-before event by presenting it to introspection, refresh, or userinfo requests when client-level not-before values are also in play. This lets revoked or otherwise invalidated tokens remain accepted, allowing continued access to protected account, userinfo, and token-refresh operations until the token expires.

    How to fix Incorrect Implementation of Authentication Algorithm?

    Upgrade org.keycloak:keycloak-services to version 26.6.3 or higher.

    [9.0.0,26.6.3)
    • M
    Client-Side Enforcement of Server-Side Security

    org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

    Affected versions of this package are vulnerable to Client-Side Enforcement of Server-Side Security through the processAction() registration flow in the WebAuthn authenticator components. An attacker can register a credential that does not match the realm’s WebAuthn policy by modifying the browser-side registration parameters or by using an authenticator that returns a different algorithm than requested. The server accepts and stores credentials with disallowed algorithms or other mismatched registration properties, and the same stored credential is then used for future logins without any server-side policy check, leaving users with WebAuthn credentials that do not enforce the administrator’s configured requirements.

    How to fix Client-Side Enforcement of Server-Side Security?

    Upgrade org.keycloak:keycloak-services to version 26.6.3 or higher.

    [9.0.2,26.6.3)
    • H
    User Impersonation

    org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

    Affected versions of this package are vulnerable to User Impersonation through the SessionCodeChecks logic in SessionCodeChecks.java. An attacker can reuse an auth_session_id and related login-action parameters from a different browser session to reach the authentication flow and trigger login or required-action processing without the expected session-cookie match. This lets the attacker force the server to accept a mismatched authentication session, resulting in unauthorized access to the login action flow and potential account takeover or session confusion for the victim.

    Note: While the fix was back-ported to version 26.4.12, this version has not been published to Maven Central

    How to fix User Impersonation?

    Upgrade org.keycloak:keycloak-services to version 26.6.2 or higher.

    [4.0.0.Beta1,26.6.2)
    • H
    Open Redirect

    org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

    Affected versions of this package are vulnerable to Open Redirect through the areWildcardsAllowed check in RedirectUtils. An attacker can bypass redirect URI validation by supplying a redirect URI with an unparsed authority component and wildcard patterns, thereby sending users to an attacker-controlled destination.

    Notes

    • Clients only become vulnerable when their Valid Redirect URIs include a wildcard (*); exact-match redirect URI configurations are not affected by this bypass.
    • Exploitation depends on a malformed redirect URI whose authority cannot be parsed cleanly by Java’s URI handling, such as one using multiple @ characters in the user-info portion.

    How to fix Open Redirect?

    Upgrade org.keycloak:keycloak-services to version 26.6.2 or higher.

    [,26.6.2)
    • M
    Open Redirect

    org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

    Affected versions of this package are vulnerable to Open Redirect via the TokenEndpoint introspection flow in the OIDC protocol handlers. An attacker can introspect tokens intended for another client by sending them to the token introspection endpoint from an authenticated client that is not listed in the token’s aud claim, exposing token metadata and claims for tokens outside that client’s intended audience.

    Note: While the fix was back-ported to version 26.4.12, this version has not been published to Maven Central

    How to fix Open Redirect?

    Upgrade org.keycloak:keycloak-services to version 26.6.2 or higher.

    [,26.6.2)
    • H
    External Control of Assumed-Immutable Web Parameter

    org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

    Affected versions of this package are vulnerable to External Control of Assumed-Immutable Web Parameter via the SessionCodeChecks restart flow in the login session handling code. An attacker can steer a restarted authentication session to an attacker-chosen URL by supplying a crafted client_data parameter with a different redirect_uri, causing the victim’s browser to be redirected to the attacker’s endpoint after login. This can send the user’s authorization response to the wrong location, exposing the login result to an untrusted site.

    Note: While the fix was back-ported to version 26.4.12, this version has not been published to Maven Central

    How to fix External Control of Assumed-Immutable Web Parameter?

    Upgrade org.keycloak:keycloak-services to version 26.6.2 or higher.

    [26.3.0,26.6.2)
    • H
    Replay Attack

    org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

    Affected versions of this package are vulnerable to Replay Attack through the RequiredActionFactory and required-action implementations in the authentication flow. An attacker can reuse a required-action email token by completing the action and then opening the same link again, causing the same account-management action to be accepted more than once. This lets a stale execute-actions-email link remain valid for repeated use, allowing repeated password updates, TOTP enrollment, account deletion, or other required actions to be triggered from the same token and undermining the intended single-use behavior.

    Notes

    • The replay issue is not limited to password resets: any required action implemented through RequiredActionFactory and exposed via execute-actions-email inherits the same single-use semantics, including flows such as TOTP enrollment, account deletion, and WebAuthn-related enrollment paths.
    • The vulnerable behavior is in the default isOneTimeAction() contract, so deployments that rely on custom required-action providers without their own override can also be affected even if the built-in actions are not the only ones in use.
    • While the fix was back-ported to version 26.4.12, this version has not been published to Maven Central

    How to fix Replay Attack?

    Upgrade org.keycloak:keycloak-services to version 26.6.2 or higher.

    [,26.6.2)
    • H
    Authorization Bypass Through User-Controlled Key

    org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

    Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the ResourceService in the resource management API. An attacker can update, read, list, or delete resources they do not own by sending requests to the resource endpoints with a valid protection token. This lets a non-owner take over or inspect protected resources and disrupt other users’ resource and permission management.

    Note: While the fix was back-ported to version 26.4.12, this version has not been published to Maven Central

    How to fix Authorization Bypass Through User-Controlled Key?

    Upgrade org.keycloak:keycloak-services to version 26.6.2 or higher.

    [2.0.0.CR1,26.6.2)
    • M
    Insufficient Granularity of Access Control

    org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

    Affected versions of this package are vulnerable to Insufficient Granularity of Access Control via the user handler in the resource account service. An attacker can retrieve another user’s profile details by sending a GET request with an arbitrary value parameter for a resource they can access. The endpoint returns the target user’s identifier, username, first name, last name, and email without verifying that the requester owns the user record or has a permission request for that resource, exposing account data to unauthorized callers.

    Note: While the fix was back-ported to version 26.4.12, this version has not been published to Maven Central

    How to fix Insufficient Granularity of Access Control?

    Upgrade org.keycloak:keycloak-services to version 26.6.2 or higher.

    [7.0.0,26.6.2)
    • M
    Authorization Bypass Through User-Controlled Key

    org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

    Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the generateAccessToken path in ClientScopeEvaluateResource.java. An attacker can generate client scope tokens for a user by supplying that user’s ID to client scope evaluation without having permission to view the user. The vulnerable flow resolves the target user and proceeds to generate a token without enforcing a user access check, allowing callers with client-scope evaluation access to act on users they are not authorized to inspect. This exposes user-related token data, allowing unauthorized administrators or users with low administrative privileges to evaluate scopes against arbitrary users.

    Note: While the fix was back-ported to version 26.4.12, this version has not been published to Maven Central.

    How to fix Authorization Bypass Through User-Controlled Key?

    Upgrade org.keycloak:keycloak-services to version 26.6.2 or higher.

    [,26.6.2)
    • H
    Authorization Bypass Through User-Controlled Key

    org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

    Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key in the cross-session email verification process. An attacker can gain persistent access to another user's local account by consuming the verification proof when controlling an upstream identity provider account that shares an email address with the victim. This is only exploitable if the attacker controls an upstream identity provider account with the same email as the victim, the victim is actively linking their account, email verification is enabled, and the identity provider is configured with trustEmail=false.

    How to fix Authorization Bypass Through User-Controlled Key?

    Upgrade org.keycloak:keycloak-services to version 26.6.3 or higher.

    [26.3.0,26.6.3)
    • L
    Improper Certificate Validation

    org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

    Affected versions of this package are vulnerable to Improper Certificate Validation via packed self-attestation in WebAuthn registration. An attacker can bypass the AAGUID allowlist by returning self-attestation when direct attestation is requested, as the AAGUID is not verified in this case, allowing registration with an unapproved authenticator.

    The attack surface is limited, as project maintainers note: "By default, for a simple implementation, attestation and AAGUIDs may not be considered necessary."

    How to fix Improper Certificate Validation?

    Upgrade org.keycloak:keycloak-services to version 26.6.2 or higher.

    [,26.6.2)
    • M
    Forced Browsing

    org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

    Affected versions of this package are vulnerable to Forced Browsing via the account and account-api features when the server is started with --features-disabled=account,account-api. An authenticated user with API access can perform unauthorized read and write operations on specific account endpoints by bypassing the intended feature disablement.

    How to fix Forced Browsing?

    Upgrade org.keycloak:keycloak-services to version 26.6.3 or higher.

    [,26.6.3)
    • M
    Origin Validation Error

    org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

    Affected versions of this package are vulnerable to Origin Validation Error in the UMA token endpoint when the azp claim from a client-supplied JWT is used to set the Access-Control-Allow-Origin header before the JWT signature is validated. An attacker can cause low-sensitivity information from authorization server error responses to be exposed by injecting a specially crafted JWT with a malicious azp value, which is reflected as the CORS origin.

    Note:

    This is only exploitable if the target client is misconfigured with webOrigins: ["*"].

    How to fix Origin Validation Error?

    Upgrade org.keycloak:keycloak-services to version 26.6.3 or higher.

    [,26.6.3)
    • H
    Excessive Platform Resource Consumption within a Loop

    org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

    Affected versions of this package are vulnerable to Excessive Platform Resource Consumption within a Loop via the scope parameter processing in the OpenID Connect (OIDC) token endpoint. An attacker can exhaust server resources and cause prolonged response times by sending a specially crafted POST request with an excessively long scope value.

    How to fix Excessive Platform Resource Consumption within a Loop?

    Upgrade org.keycloak:keycloak-services to version 26.5.7 or higher.

    [,26.5.7)
    • C
    Improper Isolation or Compartmentalization

    org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

    Affected versions of this package are vulnerable to Improper Isolation or Compartmentalization due to improper type and namespace isolation in the SingleUseObjectProvider. An attacker can obtain unauthorized access by forging authorization codes, which may result in the creation of admin-level access tokens.

    How to fix Improper Isolation or Compartmentalization?

    Upgrade org.keycloak:keycloak-services to version 26.5.7 or higher.

    [,26.5.7)
    • H
    Open Redirect

    org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

    Affected versions of this package are vulnerable to Open Redirect via improper validation of redirect URIs in the authentication endpoint. An attacker can gain unauthorized access to sensitive information by exploiting path traversal sequences in the redirect parameter, potentially leading to the theft of access tokens.

    How to fix Open Redirect?

    Upgrade org.keycloak:keycloak-services to version 26.5.7 or higher.

    [,26.5.7)
    • H
    Incorrect Behavior Order: Authorization Before Parsing and Canonicalization

    org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

    Affected versions of this package are vulnerable to Incorrect Behavior Order: Authorization Before Parsing and Canonicalization via the UMA Policy Resource (user with the uma_protection role). An attacker can gain unauthorized access to resources owned by other users by including their resource identifiers in a policy creation request, allowing them to obtain sensitive information or perform actions without proper authorization.

    How to fix Incorrect Behavior Order: Authorization Before Parsing and Canonicalization?

    Upgrade org.keycloak:keycloak-services to version 26.5.7 or higher.

    [,26.5.7)
    • M
    Improper Isolation or Compartmentalization

    org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

    Affected versions of this package are vulnerable to Improper Isolation or Compartmentalization through improper handling of single-use entries in the SingleUseObjectProvider a global key-value store. An attacker can gain unauthorized access or compromise accounts by replaying consumed action tokens, such as password reset links.

    How to fix Improper Isolation or Compartmentalization?

    Upgrade org.keycloak:keycloak-services to version 26.5.7 or higher.

    [,26.5.7)
    • L
    Server-side Request Forgery (SSRF)

    org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

    Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via the client_session_host parameter during refresh token requests when the client is configured to use the backchannel.logout.url with the application.session.host placeholder. An attacker can cause the server to make HTTP requests to arbitrary internal or external endpoints by manipulating this parameter, potentially leading to information disclosure by probing internal networks or APIs.

    How to fix Server-side Request Forgery (SSRF)?

    Upgrade org.keycloak:keycloak-services to version 26.6.3 or higher.

    [,26.6.3)
    • M
    Information Exposure

    org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

    Affected versions of this package are vulnerable to Information Exposure in the identity-first login flow when Organizations are enabled. An attacker can obtain information about the existence of users by analyzing differential error messages.

    How to fix Information Exposure?

    Upgrade org.keycloak:keycloak-services to version 26.6.1 or higher.

    [,26.6.1)
    • M
    Access Control Bypass

    org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

    Affected versions of this package are vulnerable to Access Control Bypass due to incomplete enforcement of access control checks on PUT operations to the resource_set endpoint. An attacker can modify protected resources without proper authorization by sending crafted requests to this endpoint when the allowRemoteResourceManagement setting is set to false.

    How to fix Access Control Bypass?

    Upgrade org.keycloak:keycloak-services to version 26.6.2 or higher.

    [,26.6.2)
    • M
    Server-side Request Forgery (SSRF)

    org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

    Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) when processing client configuration requests. An attacker can make unintended requests to internal or restricted resources by sending a malicious sector_identifier_uri that accesses addresses such as a cloud metadata services at 169.254.169.254.

    How to fix Server-side Request Forgery (SSRF)?

    Upgrade org.keycloak:keycloak-services to version 26.6.1 or higher.

    [,26.6.1)
    • M
    Improper Validation of Specified Type of Input

    org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

    Affected versions of this package are vulnerable to Improper Validation of Specified Type of Input via improper validation of encrypted SAML assertions. An attacker can gain unauthorized access by submitting specially crafted SAML assertions.

    How to fix Improper Validation of Specified Type of Input?

    Upgrade org.keycloak:keycloak-services to version 26.2.14, 26.4.10, 26.5.5 or higher.

    [,26.2.14)[26.3.0,26.4.10)[26.5.0,26.5.5)
    • H
    Authentication Bypass by Primary Weakness

    org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

    Affected versions of this package are vulnerable to Authentication Bypass by Primary Weakness via the SAML Identity Provider authentication process when it is disabled. An attacker can gain unauthorized access by exploiting the ability to authenticate through a provider that should not be available.

    How to fix Authentication Bypass by Primary Weakness?

    Upgrade org.keycloak:keycloak-services to version 26.2.14, 26.4.10, 26.5.5 or higher.

    [,26.2.14)[26.3.0,26.4.10)[26.5.0,26.5.5)
    • H
    Authorization Bypass Through User-Controlled Key

    org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

    Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the IdentityBrokerService.performLogin endpoint. An attacker can gain unauthorized access and bypass administrative restrictions by reusing a previously generated login request referencing a disabled external identity provider.

    How to fix Authorization Bypass Through User-Controlled Key?

    Upgrade org.keycloak:keycloak-services to version 26.2.14, 26.4.10, 26.5.5 or higher.

    [,26.2.14)[26.3.0,26.4.10)[26.5.0,26.5.5)
    • H
    Authentication Bypass by Primary Weakness

    org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

    Affected versions of this package are vulnerable to Authentication Bypass by Primary Weakness when a disabled SAML client is configured as an Identity Provider (IdP)-initiated broker landing target. An attacker can gain unauthorized access to other enabled clients via a Single Sign-On (SSO) session.

    How to fix Authentication Bypass by Primary Weakness?

    Upgrade org.keycloak:keycloak-services to version 26.2.14, 26.4.10, 26.5.5 or higher.

    [,26.2.14)[26.3.0,26.4.10)[26.5.0,26.5.5)
    • L
    Missing Critical Step in Authentication

    org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

    Affected versions of this package are vulnerable to Missing Critical Step in Authentication due to insufficient validation of the authentication Level of Assurance in the Account REST API. An attacker can gain control over a victim's account by deleting the victim's registered MFA device and registering their own, provided they have obtained the victim's primary credentials.

    How to fix Missing Critical Step in Authentication?

    Upgrade org.keycloak:keycloak-services to version 26.5.7 or higher.

    [,26.5.7)
    • M
    Improper Handling of Insufficient Permissions or Privileges

    org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

    Affected versions of this package are vulnerable to Improper Handling of Insufficient Permissions or Privileges via improper enforcement of roles in the UMA 2.0 Protection API which fails to enforce the uma_protection role check. An attacker can access sensitive information by leveraging insufficient permission checks.

    How to fix Improper Handling of Insufficient Permissions or Privileges?

    Upgrade org.keycloak:keycloak-services to version 26.4.11, 26.5.6 or higher.

    [,26.4.11)[26.5.0,26.5.6)
    • H
    Incorrect Privilege Assignment

    org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

    Affected versions of this package are vulnerable to Incorrect Privilege Assignment via the manage-clients permission assignment. An attacker can gain unauthorized access to higher-privileged operations by exploiting insufficient enforcement of access controls.

    How to fix Incorrect Privilege Assignment?

    Upgrade org.keycloak:keycloak-services to version 26.5.6 or higher.

    [0,26.5.6)
    • M
    Improper Authorization

    org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

    Affected versions of this package are vulnerable to Improper Authorization in the /protocol/docker-v2/auth endpoint, which does not ensure that the client is in “Enabled” status before granting an access token. This allows a user in possession of valid credentials and the client ID of a disabled client to bypass administrative restrictions.

    How to fix Improper Authorization?

    Upgrade org.keycloak:keycloak-services to version 26.5.4 or higher.

    [0,26.5.4)
    • H
    Improper Handling of Highly Compressed Data (Data Amplification)

    org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

    Affected versions of this package are vulnerable to Improper Handling of Highly Compressed Data (Data Amplification) via the SAMLRequest DEFLATE decompression. An attacker can cause service disruption by sending a highly compressed requests that trigger excessive resource consumption during decompression.

    How to fix Improper Handling of Highly Compressed Data (Data Amplification)?

    Upgrade org.keycloak:keycloak-services to version 26.5.4 or higher.

    [1.9.0.CR1,26.5.4)
    • L
    Authorization Bypass Through User-Controlled Key

    org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

    Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the Admin API when the Organizations feature is enabled. An authenticated attacker can enumerate the organization memberships of any other user if their unique identifier (UUID) is known.

    Note:

    This is only exploitable if the Organizations feature is enabled (which is the default in recent versions), the attacker possesses a valid access token for the realm and the attacker knows the UUID of the victim user.

    How to fix Authorization Bypass Through User-Controlled Key?

    Upgrade org.keycloak:keycloak-services to version 26.5.6 or higher.

    [0,26.5.6)
    • H
    Improper Verification of Cryptographic Signature

    org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

    Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature in the invitation tokens in the registration process. An attacker can gain unauthorized access to organizations by modifying the organization ID and target email within a legitimate invitation token's JWT payload.

    How to fix Improper Verification of Cryptographic Signature?

    Upgrade org.keycloak:keycloak-services to version 26.5.3 or higher.

    [,26.5.3)
    • H
    Improperly Implemented Security Check for Standard

    org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

    Affected versions of this package are vulnerable to Improperly Implemented Security Check for Standard due to improper verification if an Identity Provider (IdP) is enabled before issuing tokens. An attacker can gain unauthorized access by issuing valid access tokens using a disabled Identity Provider's signing key.

    How to fix Improperly Implemented Security Check for Standard?

    Upgrade org.keycloak:keycloak-services to version 26.5.3 or higher.

    [,26.5.3)
    • M
    Incorrect Privilege Assignment

    org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

    Affected versions of this package are vulnerable to Incorrect Privilege Assignment due to insufficient ownership verification in the UserManagedPermissionService (UMA Protection API). An attacker can gain unauthorized access to modify or delete authorization rules for resources they do not own by updating or deleting a policy associated with multiple resources, where the authorization check only validates ownership of the first resource in the list.

    How to fix Incorrect Privilege Assignment?

    Upgrade org.keycloak:keycloak-services to version 26.5.3 or higher.

    [,26.5.3)
    • M
    Server-side Request Forgery (SSRF)

    org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

    Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via insufficient validation of the backchannel_client_notification_endpoint, which is configured during client registration or administration. A privileged user can make unauthorized requests to internal services, but cannot access the responses.

    How to fix Server-side Request Forgery (SSRF)?

    Upgrade org.keycloak:keycloak-services to version 26.6.3 or higher.

    [,26.6.3)
    • H
    Improper Enforcement of Behavioral Workflow

    org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

    Affected versions of this package are vulnerable to Improper Enforcement of Behavioral Workflow via the Token Exchange implementation. An attacker can obtain access and refresh tokens for users who have been disabled by invoking the token exchange flow with a privileged client, potentially resulting in unauthorized access to previously revoked privileges.

    How to fix Improper Enforcement of Behavioral Workflow?

    Upgrade org.keycloak:keycloak-services to version 26.5.2 or higher.

    [,26.5.2)
    • L
    Time-of-check Time-of-use (TOCTOU) Race Condition

    org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

    Affected versions of this package are vulnerable to Time-of-check Time-of-use (TOCTOU) Race Condition via the validateTokenReuse method in the TokenManager class. An attacker can obtain multiple access tokens from a single refresh token by making concurrent refresh requests.

    How to fix Time-of-check Time-of-use (TOCTOU) Race Condition?

    Upgrade org.keycloak:keycloak-services to version 26.4.11, 26.5.6 or higher.

    [,26.4.11)[26.5.0,26.5.6)
    • L
    Missing XML Validation

    org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

    Affected versions of this package are vulnerable to Missing XML Validation of the NotOnOrAfter timestamp in SubjectConfirmationData when SAML is configured to act as a client (SAML brokering). An attacker can extend the validity of SAML responses by manipulating the timestamp, potentially resulting in prolonged session durations or increased resource usage.

    How to fix Missing XML Validation?

    Upgrade org.keycloak:keycloak-services to version 26.5.4 or higher.

    [0,26.5.4)
    • M
    Incorrect Behavior Order: Authorization Before Parsing and Canonicalization

    org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

    Affected versions of this package are vulnerable to Incorrect Behavior Order: Authorization Before Parsing and Canonicalization due to the Authorization header parser accepting non-standard characters as separators and tolerating case variations that do not comply with RFC 6750 specifications. An attacker can bypass intended access restrictions by crafting specially formatted authentication headers.

    How to fix Incorrect Behavior Order: Authorization Before Parsing and Canonicalization?

    Upgrade org.keycloak:keycloak-services to version 26.5.4 or higher.

    [9.0.0,26.5.4)
    • H
    Authentication Bypass by Alternate Name

    org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

    Affected versions of this package are vulnerable to Authentication Bypass by Alternate Name via the ResourceSetService and PermissionTicketService modules due to improper verification of resourceServer ID. An attacker can access and modify resources belonging to other clients by supplying a valid resourceId in the admin API endpoints, bypassing proper authorization checks.

    How to fix Authentication Bypass by Alternate Name?

    Upgrade org.keycloak:keycloak-services to version 26.5.6 or higher.

    [0,26.5.6)
    • M
    Access Control Bypass

    org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

    Affected versions of this package are vulnerable to Access Control Bypass via the /admin/realms/master/users/profile endpoint. An attacker can access internal user profile schema data by leveraging 'create-client' permissions.

    How to fix Access Control Bypass?

    Upgrade org.keycloak:keycloak-services to version 26.5.0 or higher.

    [0,26.5.0)
    • L
    Missing Critical Step in Authentication

    org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

    Affected versions of this package are vulnerable to Missing Critical Step in Authentication in the WebAuthn Attestation Statement verification. An attacker can influence policy enforcement by manipulating the registration flow or using a rogue authenticator under user control.

    How to fix Missing Critical Step in Authentication?

    Upgrade org.keycloak:keycloak-services to version 26.5.1 or higher.

    [0,26.5.1)