org.keycloak:keycloak-services 26.5.4

Direct Vulnerabilities

Known vulnerabilities in the org.keycloak:keycloak-services package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
M Origin Validation Error org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Origin Validation Error in the UMA token endpoint when the `azp` claim from a client-supplied JWT is used to set the `Access-Control-Allow-Origin` header before the JWT signature is validated. An attacker can cause low-sensitivity information from authorization server error responses to be exposed by injecting a specially crafted JWT with a malicious `azp` value, which is reflected as the CORS origin. Note: This is only exploitable if the target client is misconfigured with `webOrigins: ["*"]`. How to fix Origin Validation Error? There is no fixed version for `org.keycloak:keycloak-services`.	[0,)
H Excessive Platform Resource Consumption within a Loop org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Excessive Platform Resource Consumption within a Loop via the `scope` parameter processing in the OpenID Connect (OIDC) token endpoint. An attacker can exhaust server resources and cause prolonged response times by sending a specially crafted POST request with an excessively long `scope` value. How to fix Excessive Platform Resource Consumption within a Loop? Upgrade `org.keycloak:keycloak-services` to version 26.5.7 or higher.	[,26.5.7)
C Improper Isolation or Compartmentalization org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Improper Isolation or Compartmentalization due to improper type and namespace isolation in the `SingleUseObjectProvider`. An attacker can obtain unauthorized access by forging authorization codes, which may result in the creation of admin-level access tokens. How to fix Improper Isolation or Compartmentalization? Upgrade `org.keycloak:keycloak-services` to version 26.5.7 or higher.	[,26.5.7)
H Open Redirect org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Open Redirect via improper validation of redirect URIs in the authentication endpoint. An attacker can gain unauthorized access to sensitive information by exploiting path traversal sequences in the redirect parameter, potentially leading to the theft of access tokens. How to fix Open Redirect? Upgrade `org.keycloak:keycloak-services` to version 26.5.7 or higher.	[,26.5.7)
H Incorrect Behavior Order: Authorization Before Parsing and Canonicalization org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Incorrect Behavior Order: Authorization Before Parsing and Canonicalization via the UMA Policy Resource (user with the `uma_protection` role). An attacker can gain unauthorized access to resources owned by other users by including their resource identifiers in a policy creation request, allowing them to obtain sensitive information or perform actions without proper authorization. How to fix Incorrect Behavior Order: Authorization Before Parsing and Canonicalization? Upgrade `org.keycloak:keycloak-services` to version 26.5.7 or higher.	[,26.5.7)
M Improper Isolation or Compartmentalization org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Improper Isolation or Compartmentalization through improper handling of single-use entries in the `SingleUseObjectProvider` a global key-value store. An attacker can gain unauthorized access or compromise accounts by replaying consumed action tokens, such as password reset links. How to fix Improper Isolation or Compartmentalization? Upgrade `org.keycloak:keycloak-services` to version 26.5.7 or higher.	[,26.5.7)
L Server-side Request Forgery (SSRF) org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via the `client_session_host` parameter during refresh token requests when the client is configured to use the `backchannel.logout.url` with the `application.session.host` placeholder. An attacker can cause the server to make HTTP requests to arbitrary internal or external endpoints by manipulating this parameter, potentially leading to information disclosure by probing internal networks or APIs. How to fix Server-side Request Forgery (SSRF)? There is no fixed version for `org.keycloak:keycloak-services`.	[0,)
M Information Exposure org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Information Exposure in the identity-first login flow when Organizations are enabled. An attacker can obtain information about the existence of users by analyzing differential error messages. How to fix Information Exposure? A fix was pushed into the `master` branch but not yet published.	[0,)
M Access Control Bypass org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Access Control Bypass due to incomplete enforcement of access control checks on PUT operations to the `resource_set` endpoint. An attacker can modify protected resources without proper authorization by sending crafted requests to this endpoint when the `allowRemoteResourceManagement` setting is set to false. How to fix Access Control Bypass? There is no fixed version for `org.keycloak:keycloak-services`.	[0,)
M Server-side Request Forgery (SSRF) org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) when processing client configuration requests. An attacker can make unintended requests to internal or restricted resources by sending a malicious `sector_identifier_uri` that accesses addresses such as a cloud metadata services at `169.254.169.254`. How to fix Server-side Request Forgery (SSRF)? There is no fixed version for `org.keycloak:keycloak-services`.	[0,)
M Improper Validation of Specified Type of Input org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Improper Validation of Specified Type of Input via improper validation of encrypted SAML assertions. An attacker can gain unauthorized access by submitting specially crafted SAML assertions. How to fix Improper Validation of Specified Type of Input? Upgrade `org.keycloak:keycloak-services` to version 26.2.14, 26.4.10, 26.5.5 or higher.	[,26.2.14)[26.3.0,26.4.10)[26.5.0,26.5.5)
H Authentication Bypass by Primary Weakness org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Authentication Bypass by Primary Weakness via the SAML Identity Provider authentication process when it is disabled. An attacker can gain unauthorized access by exploiting the ability to authenticate through a provider that should not be available. How to fix Authentication Bypass by Primary Weakness? Upgrade `org.keycloak:keycloak-services` to version 26.2.14, 26.4.10, 26.5.5 or higher.	[,26.2.14)[26.3.0,26.4.10)[26.5.0,26.5.5)
H Authorization Bypass Through User-Controlled Key org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the `IdentityBrokerService.performLogin` endpoint. An attacker can gain unauthorized access and bypass administrative restrictions by reusing a previously generated login request referencing a disabled external identity provider. How to fix Authorization Bypass Through User-Controlled Key? Upgrade `org.keycloak:keycloak-services` to version 26.2.14, 26.4.10, 26.5.5 or higher.	[,26.2.14)[26.3.0,26.4.10)[26.5.0,26.5.5)
H Authentication Bypass by Primary Weakness org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Authentication Bypass by Primary Weakness when a disabled SAML client is configured as an Identity Provider (IdP)-initiated broker landing target. An attacker can gain unauthorized access to other enabled clients via a Single Sign-On (SSO) session. How to fix Authentication Bypass by Primary Weakness? Upgrade `org.keycloak:keycloak-services` to version 26.2.14, 26.4.10, 26.5.5 or higher.	[,26.2.14)[26.3.0,26.4.10)[26.5.0,26.5.5)
L Missing Critical Step in Authentication org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Missing Critical Step in Authentication due to insufficient validation of the authentication Level of Assurance in the Account REST API. An attacker can gain control over a victim's account by deleting the victim's registered MFA device and registering their own, provided they have obtained the victim's primary credentials. How to fix Missing Critical Step in Authentication? Upgrade `org.keycloak:keycloak-services` to version 26.5.7 or higher.	[,26.5.7)
M Improper Handling of Insufficient Permissions or Privileges org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Improper Handling of Insufficient Permissions or Privileges via improper enforcement of roles in the UMA 2.0 Protection API which fails to enforce the `uma_protection` role check. An attacker can access sensitive information by leveraging insufficient permission checks. How to fix Improper Handling of Insufficient Permissions or Privileges? Upgrade `org.keycloak:keycloak-services` to version 26.4.11, 26.5.6 or higher.	[,26.4.11)[26.5.0,26.5.6)
H Incorrect Privilege Assignment org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Incorrect Privilege Assignment via the `manage-clients` permission assignment. An attacker can gain unauthorized access to higher-privileged operations by exploiting insufficient enforcement of access controls. How to fix Incorrect Privilege Assignment? Upgrade `org.keycloak:keycloak-services` to version 26.5.6 or higher.	[0,26.5.6)
L Authorization Bypass Through User-Controlled Key org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the Admin API when the Organizations feature is enabled. An authenticated attacker can enumerate the organization memberships of any other user if their unique identifier (UUID) is known. Note: This is only exploitable if the Organizations feature is enabled (which is the default in recent versions), the attacker possesses a valid access token for the realm and the attacker knows the UUID of the victim user. How to fix Authorization Bypass Through User-Controlled Key? Upgrade `org.keycloak:keycloak-services` to version 26.5.6 or higher.	[0,26.5.6)
M Server-side Request Forgery (SSRF) org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via insufficient validation of the `backchannel_client_notification_endpoint`, which is configured during client registration or administration. A privileged user can make unauthorized requests to internal services, but cannot access the responses. How to fix Server-side Request Forgery (SSRF)? There is no fixed version for `org.keycloak:keycloak-services`.	[0,)
L Time-of-check Time-of-use (TOCTOU) Race Condition org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Time-of-check Time-of-use (TOCTOU) Race Condition via the `validateTokenReuse` method in the `TokenManager` class. An attacker can obtain multiple access tokens from a single refresh token by making concurrent refresh requests. How to fix Time-of-check Time-of-use (TOCTOU) Race Condition? Upgrade `org.keycloak:keycloak-services` to version 26.4.11, 26.5.6 or higher.	[,26.4.11)[26.5.0,26.5.6)
H Authentication Bypass by Alternate Name org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Authentication Bypass by Alternate Name via the `ResourceSetService` and `PermissionTicketService` modules due to improper verification of resourceServer ID. An attacker can access and modify resources belonging to other clients by supplying a valid `resourceId` in the admin API endpoints, bypassing proper authorization checks. How to fix Authentication Bypass by Alternate Name? Upgrade `org.keycloak:keycloak-services` to version 26.5.6 or higher.	[0,26.5.6)

Vulnerability

Vulnerable Version

Origin Validation Error

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Origin Validation Error in the UMA token endpoint when the azp claim from a client-supplied JWT is used to set the Access-Control-Allow-Origin header before the JWT signature is validated. An attacker can cause low-sensitivity information from authorization server error responses to be exposed by injecting a specially crafted JWT with a malicious azp value, which is reflected as the CORS origin.

Note:

This is only exploitable if the target client is misconfigured with webOrigins: ["*"].

How to fix Origin Validation Error?

There is no fixed version for org.keycloak:keycloak-services.

[0,)

Excessive Platform Resource Consumption within a Loop

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Excessive Platform Resource Consumption within a Loop via the scope parameter processing in the OpenID Connect (OIDC) token endpoint. An attacker can exhaust server resources and cause prolonged response times by sending a specially crafted POST request with an excessively long scope value.

How to fix Excessive Platform Resource Consumption within a Loop?

Upgrade org.keycloak:keycloak-services to version 26.5.7 or higher.

[,26.5.7)

Improper Isolation or Compartmentalization

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Improper Isolation or Compartmentalization due to improper type and namespace isolation in the SingleUseObjectProvider. An attacker can obtain unauthorized access by forging authorization codes, which may result in the creation of admin-level access tokens.

How to fix Improper Isolation or Compartmentalization?

Upgrade org.keycloak:keycloak-services to version 26.5.7 or higher.

[,26.5.7)

Open Redirect

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Open Redirect via improper validation of redirect URIs in the authentication endpoint. An attacker can gain unauthorized access to sensitive information by exploiting path traversal sequences in the redirect parameter, potentially leading to the theft of access tokens.

How to fix Open Redirect?

Upgrade org.keycloak:keycloak-services to version 26.5.7 or higher.

[,26.5.7)

Incorrect Behavior Order: Authorization Before Parsing and Canonicalization

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Incorrect Behavior Order: Authorization Before Parsing and Canonicalization via the UMA Policy Resource (user with the uma_protection role). An attacker can gain unauthorized access to resources owned by other users by including their resource identifiers in a policy creation request, allowing them to obtain sensitive information or perform actions without proper authorization.

How to fix Incorrect Behavior Order: Authorization Before Parsing and Canonicalization?

Upgrade org.keycloak:keycloak-services to version 26.5.7 or higher.

[,26.5.7)

Improper Isolation or Compartmentalization

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Improper Isolation or Compartmentalization through improper handling of single-use entries in the SingleUseObjectProvider a global key-value store. An attacker can gain unauthorized access or compromise accounts by replaying consumed action tokens, such as password reset links.

How to fix Improper Isolation or Compartmentalization?

Upgrade org.keycloak:keycloak-services to version 26.5.7 or higher.

[,26.5.7)

Server-side Request Forgery (SSRF)

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via the client_session_host parameter during refresh token requests when the client is configured to use the backchannel.logout.url with the application.session.host placeholder. An attacker can cause the server to make HTTP requests to arbitrary internal or external endpoints by manipulating this parameter, potentially leading to information disclosure by probing internal networks or APIs.

How to fix Server-side Request Forgery (SSRF)?

There is no fixed version for org.keycloak:keycloak-services.

[0,)

Information Exposure

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Information Exposure in the identity-first login flow when Organizations are enabled. An attacker can obtain information about the existence of users by analyzing differential error messages.

How to fix Information Exposure?

A fix was pushed into the master branch but not yet published.

[0,)

Access Control Bypass

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Access Control Bypass due to incomplete enforcement of access control checks on PUT operations to the resource_set endpoint. An attacker can modify protected resources without proper authorization by sending crafted requests to this endpoint when the allowRemoteResourceManagement setting is set to false.

How to fix Access Control Bypass?

There is no fixed version for org.keycloak:keycloak-services.

[0,)

Server-side Request Forgery (SSRF)

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) when processing client configuration requests. An attacker can make unintended requests to internal or restricted resources by sending a malicious sector_identifier_uri that accesses addresses such as a cloud metadata services at 169.254.169.254.

How to fix Server-side Request Forgery (SSRF)?

There is no fixed version for org.keycloak:keycloak-services.

[0,)

Improper Validation of Specified Type of Input

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Improper Validation of Specified Type of Input via improper validation of encrypted SAML assertions. An attacker can gain unauthorized access by submitting specially crafted SAML assertions.

How to fix Improper Validation of Specified Type of Input?

Upgrade org.keycloak:keycloak-services to version 26.2.14, 26.4.10, 26.5.5 or higher.

[,26.2.14)[26.3.0,26.4.10)[26.5.0,26.5.5)

Authentication Bypass by Primary Weakness

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Authentication Bypass by Primary Weakness via the SAML Identity Provider authentication process when it is disabled. An attacker can gain unauthorized access by exploiting the ability to authenticate through a provider that should not be available.

How to fix Authentication Bypass by Primary Weakness?

Upgrade org.keycloak:keycloak-services to version 26.2.14, 26.4.10, 26.5.5 or higher.

[,26.2.14)[26.3.0,26.4.10)[26.5.0,26.5.5)

Authorization Bypass Through User-Controlled Key

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the IdentityBrokerService.performLogin endpoint. An attacker can gain unauthorized access and bypass administrative restrictions by reusing a previously generated login request referencing a disabled external identity provider.

How to fix Authorization Bypass Through User-Controlled Key?

Upgrade org.keycloak:keycloak-services to version 26.2.14, 26.4.10, 26.5.5 or higher.

[,26.2.14)[26.3.0,26.4.10)[26.5.0,26.5.5)

Authentication Bypass by Primary Weakness

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Authentication Bypass by Primary Weakness when a disabled SAML client is configured as an Identity Provider (IdP)-initiated broker landing target. An attacker can gain unauthorized access to other enabled clients via a Single Sign-On (SSO) session.

How to fix Authentication Bypass by Primary Weakness?

Upgrade org.keycloak:keycloak-services to version 26.2.14, 26.4.10, 26.5.5 or higher.

[,26.2.14)[26.3.0,26.4.10)[26.5.0,26.5.5)

Missing Critical Step in Authentication

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Missing Critical Step in Authentication due to insufficient validation of the authentication Level of Assurance in the Account REST API. An attacker can gain control over a victim's account by deleting the victim's registered MFA device and registering their own, provided they have obtained the victim's primary credentials.

How to fix Missing Critical Step in Authentication?

Upgrade org.keycloak:keycloak-services to version 26.5.7 or higher.

[,26.5.7)

Improper Handling of Insufficient Permissions or Privileges

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Improper Handling of Insufficient Permissions or Privileges via improper enforcement of roles in the UMA 2.0 Protection API which fails to enforce the uma_protection role check. An attacker can access sensitive information by leveraging insufficient permission checks.

How to fix Improper Handling of Insufficient Permissions or Privileges?

Upgrade org.keycloak:keycloak-services to version 26.4.11, 26.5.6 or higher.

[,26.4.11)[26.5.0,26.5.6)

Incorrect Privilege Assignment

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Incorrect Privilege Assignment via the manage-clients permission assignment. An attacker can gain unauthorized access to higher-privileged operations by exploiting insufficient enforcement of access controls.

How to fix Incorrect Privilege Assignment?

Upgrade org.keycloak:keycloak-services to version 26.5.6 or higher.

[0,26.5.6)

Authorization Bypass Through User-Controlled Key

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the Admin API when the Organizations feature is enabled. An authenticated attacker can enumerate the organization memberships of any other user if their unique identifier (UUID) is known.

Note:

This is only exploitable if the Organizations feature is enabled (which is the default in recent versions), the attacker possesses a valid access token for the realm and the attacker knows the UUID of the victim user.

How to fix Authorization Bypass Through User-Controlled Key?

Upgrade org.keycloak:keycloak-services to version 26.5.6 or higher.

[0,26.5.6)

Server-side Request Forgery (SSRF)

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via insufficient validation of the backchannel_client_notification_endpoint, which is configured during client registration or administration. A privileged user can make unauthorized requests to internal services, but cannot access the responses.

How to fix Server-side Request Forgery (SSRF)?

There is no fixed version for org.keycloak:keycloak-services.

[0,)

Time-of-check Time-of-use (TOCTOU) Race Condition

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Time-of-check Time-of-use (TOCTOU) Race Condition via the validateTokenReuse method in the TokenManager class. An attacker can obtain multiple access tokens from a single refresh token by making concurrent refresh requests.

How to fix Time-of-check Time-of-use (TOCTOU) Race Condition?

Upgrade org.keycloak:keycloak-services to version 26.4.11, 26.5.6 or higher.

[,26.4.11)[26.5.0,26.5.6)

Authentication Bypass by Alternate Name

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Authentication Bypass by Alternate Name via the ResourceSetService and PermissionTicketService modules due to improper verification of resourceServer ID. An attacker can access and modify resources belonging to other clients by supplying a valid resourceId in the admin API endpoints, bypassing proper authorization checks.

How to fix Authentication Bypass by Alternate Name?

Upgrade org.keycloak:keycloak-services to version 26.5.6 or higher.

[0,26.5.6)

org.keycloak:keycloak-services@26.5.4

latest version

first published

latest version published

licenses detected

package registry

Direct Vulnerabilities

Fix vulnerabilities automatically