org.keycloak:keycloak-services@26.5.2

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Excessive Platform Resource Consumption within a Loop via the scope parameter processing in the OpenID Connect (OIDC) token endpoint. An attacker can exhaust server resources and cause prolonged response times by sending a specially crafted POST request with an excessively long scope value.

Upgrade org.keycloak:keycloak-services to version 26.5.7 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Improper Isolation or Compartmentalization due to improper type and namespace isolation in the SingleUseObjectProvider. An attacker can obtain unauthorized access by forging authorization codes, which may result in the creation of admin-level access tokens.

Upgrade org.keycloak:keycloak-services to version 26.5.7 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Open Redirect via improper validation of redirect URIs in the authentication endpoint. An attacker can gain unauthorized access to sensitive information by exploiting path traversal sequences in the redirect parameter, potentially leading to the theft of access tokens.

Upgrade org.keycloak:keycloak-services to version 26.5.7 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Incorrect Behavior Order: Authorization Before Parsing and Canonicalization via the UMA Policy Resource (user with the uma_protection role). An attacker can gain unauthorized access to resources owned by other users by including their resource identifiers in a policy creation request, allowing them to obtain sensitive information or perform actions without proper authorization.

Upgrade org.keycloak:keycloak-services to version 26.5.7 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Improper Isolation or Compartmentalization through improper handling of single-use entries in the SingleUseObjectProvider a global key-value store. An attacker can gain unauthorized access or compromise accounts by replaying consumed action tokens, such as password reset links.

Upgrade org.keycloak:keycloak-services to version 26.5.7 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via the client_session_host parameter during refresh token requests when the client is configured to use the backchannel.logout.url with the application.session.host placeholder. An attacker can cause the server to make HTTP requests to arbitrary internal or external endpoints by manipulating this parameter, potentially leading to information disclosure by probing internal networks or APIs.

There is no fixed version for org.keycloak:keycloak-services.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Information Exposure in the identity-first login flow when Organizations are enabled. An attacker can obtain information about the existence of users by analyzing differential error messages.

A fix was pushed into the master branch but not yet published.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Access Control Bypass due to incomplete enforcement of access control checks on PUT operations to the resource_set endpoint. An attacker can modify protected resources without proper authorization by sending crafted requests to this endpoint when the allowRemoteResourceManagement setting is set to false.

There is no fixed version for org.keycloak:keycloak-services.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) when processing client configuration requests. An attacker can make unintended requests to internal or restricted resources by sending a malicious sector_identifier_uri that accesses addresses such as a cloud metadata services at 169.254.169.254.

There is no fixed version for org.keycloak:keycloak-services.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Improper Validation of Specified Type of Input via improper validation of encrypted SAML assertions. An attacker can gain unauthorized access by submitting specially crafted SAML assertions.

Upgrade org.keycloak:keycloak-services to version 26.2.14, 26.4.10, 26.5.5 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Authentication Bypass by Primary Weakness via the SAML Identity Provider authentication process when it is disabled. An attacker can gain unauthorized access by exploiting the ability to authenticate through a provider that should not be available.

Upgrade org.keycloak:keycloak-services to version 26.2.14, 26.4.10, 26.5.5 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the IdentityBrokerService.performLogin endpoint. An attacker can gain unauthorized access and bypass administrative restrictions by reusing a previously generated login request referencing a disabled external identity provider.

Upgrade org.keycloak:keycloak-services to version 26.2.14, 26.4.10, 26.5.5 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Authentication Bypass by Primary Weakness when a disabled SAML client is configured as an Identity Provider (IdP)-initiated broker landing target. An attacker can gain unauthorized access to other enabled clients via a Single Sign-On (SSO) session.

Upgrade org.keycloak:keycloak-services to version 26.2.14, 26.4.10, 26.5.5 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Missing Critical Step in Authentication due to insufficient validation of the authentication Level of Assurance in the Account REST API. An attacker can gain control over a victim's account by deleting the victim's registered MFA device and registering their own, provided they have obtained the victim's primary credentials.

Upgrade org.keycloak:keycloak-services to version 26.5.7 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Improper Handling of Insufficient Permissions or Privileges via improper enforcement of roles in the UMA 2.0 Protection API which fails to enforce the uma_protection role check. An attacker can access sensitive information by leveraging insufficient permission checks.

Upgrade org.keycloak:keycloak-services to version 26.4.11, 26.5.6 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Incorrect Privilege Assignment via the manage-clients permission assignment. An attacker can gain unauthorized access to higher-privileged operations by exploiting insufficient enforcement of access controls.

Upgrade org.keycloak:keycloak-services to version 26.5.6 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Improper Authorization in the /protocol/docker-v2/auth endpoint, which does not ensure that the client is in “Enabled” status before granting an access token. This allows a user in possession of valid credentials and the client ID of a disabled client to bypass administrative restrictions.

Upgrade org.keycloak:keycloak-services to version 26.5.4 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Improper Handling of Highly Compressed Data (Data Amplification) via the SAMLRequest DEFLATE decompression. An attacker can cause service disruption by sending a highly compressed requests that trigger excessive resource consumption during decompression.

Upgrade org.keycloak:keycloak-services to version 26.5.4 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the Admin API when the Organizations feature is enabled. An authenticated attacker can enumerate the organization memberships of any other user if their unique identifier (UUID) is known.

Note:

This is only exploitable if the Organizations feature is enabled (which is the default in recent versions), the attacker possesses a valid access token for the realm and the attacker knows the UUID of the victim user.

Upgrade org.keycloak:keycloak-services to version 26.5.6 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature in the invitation tokens in the registration process. An attacker can gain unauthorized access to organizations by modifying the organization ID and target email within a legitimate invitation token's JWT payload.

Upgrade org.keycloak:keycloak-services to version 26.5.3 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Improper Restriction of Security Token Assignment due to improper enforcement of user disabled-state checks in the grant preview feature. An attacker can gain unauthorized access to sensitive resources by presenting a valid assertion token from an external identity provider for a disabled user account. This is only exploitable if the jwt-authorization-grant preview feature is explicitly enabled.

Upgrade org.keycloak:keycloak-services to version 26.5.3 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Improperly Implemented Security Check for Standard due to improper verification if an Identity Provider (IdP) is enabled before issuing tokens. An attacker can gain unauthorized access by issuing valid access tokens using a disabled Identity Provider's signing key.

Upgrade org.keycloak:keycloak-services to version 26.5.3 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Incorrect Privilege Assignment due to insufficient ownership verification in the UserManagedPermissionService (UMA Protection API). An attacker can gain unauthorized access to modify or delete authorization rules for resources they do not own by updating or deleting a policy associated with multiple resources, where the authorization check only validates ownership of the first resource in the list.

Upgrade org.keycloak:keycloak-services to version 26.5.3 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via insufficient validation of the backchannel_client_notification_endpoint, which is configured during client registration or administration. A privileged user can make unauthorized requests to internal services, but cannot access the responses.

There is no fixed version for org.keycloak:keycloak-services.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Time-of-check Time-of-use (TOCTOU) Race Condition via the validateTokenReuse method in the TokenManager class. An attacker can obtain multiple access tokens from a single refresh token by making concurrent refresh requests.

Upgrade org.keycloak:keycloak-services to version 26.4.11, 26.5.6 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Missing XML Validation of the NotOnOrAfter timestamp in SubjectConfirmationData when SAML is configured to act as a client (SAML brokering). An attacker can extend the validity of SAML responses by manipulating the timestamp, potentially resulting in prolonged session durations or increased resource usage.

Upgrade org.keycloak:keycloak-services to version 26.5.4 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Incorrect Behavior Order: Authorization Before Parsing and Canonicalization due to the Authorization header parser accepting non-standard characters as separators and tolerating case variations that do not comply with RFC 6750 specifications. An attacker can bypass intended access restrictions by crafting specially formatted authentication headers.

Upgrade org.keycloak:keycloak-services to version 26.5.4 or higher.