org.keycloak:keycloak-services@26.5.5

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Out-of-bounds Read via the authorization header parsing in the ClientRegistrationAuth component. An attacker can cause a temporary disruption of service by sending a specially crafted request with a malformed 'Authorization: Bearer' header, which triggers an ArrayIndexOutOfBoundsException and results in an HTTP 500 error.

There is no fixed version for org.keycloak:keycloak-services.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Time-of-check Time-of-use (TOCTOU) Race Condition in the role rename endpoint. An attacker can gain unauthorized administrative privileges by exploiting a timing window between permission checks and their enforcement. The attacker can escalate their access to realm-wide administrative control, even after their original permissions are revoked and across system reboots.

There is no fixed version for org.keycloak:keycloak-services.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Incorrect Authorization via the user-facing APIs when the Organizations feature is disabled. An attacker can access organization membership data and obtain tokens containing organization claims by making authenticated requests, even after an administrator has disabled the feature at the realm level.

There is no fixed version for org.keycloak:keycloak-services.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Improper Handling of Insufficient Permissions or Privileges in the org.keycloak.protocol.oidc component when specific condition providers such as client-type, client-roles, client-attributes, or client-scopes are used. An attacker can gain unauthorized access and obtain authentication tokens by bypassing configured policy restrictions through Resource Owner Password Credentials (ROPC) grants, even when policies are set to block such requests. This is only exploitable if client policies rely on these condition providers to enforce ROPC grant rejection.

There is no fixed version for org.keycloak:keycloak-services.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Incorrect Implementation of Authentication Algorithm through the TokenManager and OIDC endpoint token checks in the access token introspection, refresh token, and userinfo paths. An attacker can keep using a token after a realm-level not-before event by presenting it to introspection, refresh, or userinfo requests when client-level not-before values are also in play. This lets revoked or otherwise invalidated tokens remain accepted, allowing continued access to protected account, userinfo, and token-refresh operations until the token expires.

A fix was pushed into the master branch but not yet published.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Client-Side Enforcement of Server-Side Security through the processAction() registration flow in the WebAuthn authenticator components. An attacker can register a credential that does not match the realm’s WebAuthn policy by modifying the browser-side registration parameters or by using an authenticator that returns a different algorithm than requested. The server accepts and stores credentials with disallowed algorithms or other mismatched registration properties, and the same stored credential is then used for future logins without any server-side policy check, leaving users with WebAuthn credentials that do not enforce the administrator’s configured requirements.

There is no fixed version for org.keycloak:keycloak-services.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to User Impersonation through the SessionCodeChecks logic in SessionCodeChecks.java. An attacker can reuse an auth_session_id and related login-action parameters from a different browser session to reach the authentication flow and trigger login or required-action processing without the expected session-cookie match. This lets the attacker force the server to accept a mismatched authentication session, resulting in unauthorized access to the login action flow and potential account takeover or session confusion for the victim.

Note: While the fix was back-ported to version 26.4.12, this version has not been published to Maven Central

Upgrade org.keycloak:keycloak-services to version 26.6.2 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Open Redirect through the areWildcardsAllowed check in RedirectUtils. An attacker can bypass redirect URI validation by supplying a redirect URI with an unparsed authority component and wildcard patterns, thereby sending users to an attacker-controlled destination.

Notes

• Clients only become vulnerable when their Valid Redirect URIs include a wildcard (*); exact-match redirect URI configurations are not affected by this bypass.
• Exploitation depends on a malformed redirect URI whose authority cannot be parsed cleanly by Java’s URI handling, such as one using multiple @ characters in the user-info portion.

Upgrade org.keycloak:keycloak-services to version 26.6.2 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Open Redirect via the TokenEndpoint introspection flow in the OIDC protocol handlers. An attacker can introspect tokens intended for another client by sending them to the token introspection endpoint from an authenticated client that is not listed in the token’s aud claim, exposing token metadata and claims for tokens outside that client’s intended audience.

Note: While the fix was back-ported to version 26.4.12, this version has not been published to Maven Central

Upgrade org.keycloak:keycloak-services to version 26.6.2 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to External Control of Assumed-Immutable Web Parameter via the SessionCodeChecks restart flow in the login session handling code. An attacker can steer a restarted authentication session to an attacker-chosen URL by supplying a crafted client_data parameter with a different redirect_uri, causing the victim’s browser to be redirected to the attacker’s endpoint after login. This can send the user’s authorization response to the wrong location, exposing the login result to an untrusted site.

Note: While the fix was back-ported to version 26.4.12, this version has not been published to Maven Central

Upgrade org.keycloak:keycloak-services to version 26.6.2 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Replay Attack through the RequiredActionFactory and required-action implementations in the authentication flow. An attacker can reuse a required-action email token by completing the action and then opening the same link again, causing the same account-management action to be accepted more than once. This lets a stale execute-actions-email link remain valid for repeated use, allowing repeated password updates, TOTP enrollment, account deletion, or other required actions to be triggered from the same token and undermining the intended single-use behavior.

Notes

• The replay issue is not limited to password resets: any required action implemented through RequiredActionFactory and exposed via execute-actions-email inherits the same single-use semantics, including flows such as TOTP enrollment, account deletion, and WebAuthn-related enrollment paths.
• The vulnerable behavior is in the default isOneTimeAction() contract, so deployments that rely on custom required-action providers without their own override can also be affected even if the built-in actions are not the only ones in use.
• While the fix was back-ported to version 26.4.12, this version has not been published to Maven Central

Upgrade org.keycloak:keycloak-services to version 26.6.2 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the ResourceService in the resource management API. An attacker can update, read, list, or delete resources they do not own by sending requests to the resource endpoints with a valid protection token. This lets a non-owner take over or inspect protected resources and disrupt other users’ resource and permission management.

Note: While the fix was back-ported to version 26.4.12, this version has not been published to Maven Central

Upgrade org.keycloak:keycloak-services to version 26.6.2 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Insufficient Granularity of Access Control via the user handler in the resource account service. An attacker can retrieve another user’s profile details by sending a GET request with an arbitrary value parameter for a resource they can access. The endpoint returns the target user’s identifier, username, first name, last name, and email without verifying that the requester owns the user record or has a permission request for that resource, exposing account data to unauthorized callers.

Note: While the fix was back-ported to version 26.4.12, this version has not been published to Maven Central

Upgrade org.keycloak:keycloak-services to version 26.6.2 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the generateAccessToken path in ClientScopeEvaluateResource.java. An attacker can generate client scope tokens for a user by supplying that user’s ID to client scope evaluation without having permission to view the user. The vulnerable flow resolves the target user and proceeds to generate a token without enforcing a user access check, allowing callers with client-scope evaluation access to act on users they are not authorized to inspect. This exposes user-related token data, allowing unauthorized administrators or users with low administrative privileges to evaluate scopes against arbitrary users.

Note: While the fix was back-ported to version 26.4.12, this version has not been published to Maven Central.

Upgrade org.keycloak:keycloak-services to version 26.6.2 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key in the cross-session email verification process. An attacker can gain persistent access to another user's local account by consuming the verification proof when controlling an upstream identity provider account that shares an email address with the victim. This is only exploitable if the attacker controls an upstream identity provider account with the same email as the victim, the victim is actively linking their account, email verification is enabled, and the identity provider is configured with trustEmail=false.

There is no fixed version for org.keycloak:keycloak-services.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Improper Certificate Validation via packed self-attestation in WebAuthn registration. An attacker can bypass the AAGUID allowlist by returning self-attestation when direct attestation is requested, as the AAGUID is not verified in this case, allowing registration with an unapproved authenticator.

The attack surface is limited, as project maintainers note: "By default, for a simple implementation, attestation and AAGUIDs may not be considered necessary."

A fix was pushed into the master branch but not yet published.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Forced Browsing via the account and account-api features when the server is started with --features-disabled=account,account-api. An authenticated user with API access can perform unauthorized read and write operations on specific account endpoints by bypassing the intended feature disablement.

There is no fixed version for org.keycloak:keycloak-services.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Origin Validation Error in the UMA token endpoint when the azp claim from a client-supplied JWT is used to set the Access-Control-Allow-Origin header before the JWT signature is validated. An attacker can cause low-sensitivity information from authorization server error responses to be exposed by injecting a specially crafted JWT with a malicious azp value, which is reflected as the CORS origin.

Note:

This is only exploitable if the target client is misconfigured with webOrigins: ["*"].

There is no fixed version for org.keycloak:keycloak-services.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Excessive Platform Resource Consumption within a Loop via the scope parameter processing in the OpenID Connect (OIDC) token endpoint. An attacker can exhaust server resources and cause prolonged response times by sending a specially crafted POST request with an excessively long scope value.

Upgrade org.keycloak:keycloak-services to version 26.5.7 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Improper Isolation or Compartmentalization due to improper type and namespace isolation in the SingleUseObjectProvider. An attacker can obtain unauthorized access by forging authorization codes, which may result in the creation of admin-level access tokens.

Upgrade org.keycloak:keycloak-services to version 26.5.7 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Open Redirect via improper validation of redirect URIs in the authentication endpoint. An attacker can gain unauthorized access to sensitive information by exploiting path traversal sequences in the redirect parameter, potentially leading to the theft of access tokens.

Upgrade org.keycloak:keycloak-services to version 26.5.7 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Incorrect Behavior Order: Authorization Before Parsing and Canonicalization via the UMA Policy Resource (user with the uma_protection role). An attacker can gain unauthorized access to resources owned by other users by including their resource identifiers in a policy creation request, allowing them to obtain sensitive information or perform actions without proper authorization.

Upgrade org.keycloak:keycloak-services to version 26.5.7 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Improper Isolation or Compartmentalization through improper handling of single-use entries in the SingleUseObjectProvider a global key-value store. An attacker can gain unauthorized access or compromise accounts by replaying consumed action tokens, such as password reset links.

Upgrade org.keycloak:keycloak-services to version 26.5.7 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via the client_session_host parameter during refresh token requests when the client is configured to use the backchannel.logout.url with the application.session.host placeholder. An attacker can cause the server to make HTTP requests to arbitrary internal or external endpoints by manipulating this parameter, potentially leading to information disclosure by probing internal networks or APIs.

There is no fixed version for org.keycloak:keycloak-services.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Information Exposure in the identity-first login flow when Organizations are enabled. An attacker can obtain information about the existence of users by analyzing differential error messages.

Upgrade org.keycloak:keycloak-services to version 26.6.1 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Access Control Bypass due to incomplete enforcement of access control checks on PUT operations to the resource_set endpoint. An attacker can modify protected resources without proper authorization by sending crafted requests to this endpoint when the allowRemoteResourceManagement setting is set to false.

There is no fixed version for org.keycloak:keycloak-services.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) when processing client configuration requests. An attacker can make unintended requests to internal or restricted resources by sending a malicious sector_identifier_uri that accesses addresses such as a cloud metadata services at 169.254.169.254.

Upgrade org.keycloak:keycloak-services to version 26.6.1 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Missing Critical Step in Authentication due to insufficient validation of the authentication Level of Assurance in the Account REST API. An attacker can gain control over a victim's account by deleting the victim's registered MFA device and registering their own, provided they have obtained the victim's primary credentials.

Upgrade org.keycloak:keycloak-services to version 26.5.7 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Improper Handling of Insufficient Permissions or Privileges via improper enforcement of roles in the UMA 2.0 Protection API which fails to enforce the uma_protection role check. An attacker can access sensitive information by leveraging insufficient permission checks.

Upgrade org.keycloak:keycloak-services to version 26.4.11, 26.5.6 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Incorrect Privilege Assignment via the manage-clients permission assignment. An attacker can gain unauthorized access to higher-privileged operations by exploiting insufficient enforcement of access controls.

Upgrade org.keycloak:keycloak-services to version 26.5.6 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the Admin API when the Organizations feature is enabled. An authenticated attacker can enumerate the organization memberships of any other user if their unique identifier (UUID) is known.

Note:

This is only exploitable if the Organizations feature is enabled (which is the default in recent versions), the attacker possesses a valid access token for the realm and the attacker knows the UUID of the victim user.

Upgrade org.keycloak:keycloak-services to version 26.5.6 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via insufficient validation of the backchannel_client_notification_endpoint, which is configured during client registration or administration. A privileged user can make unauthorized requests to internal services, but cannot access the responses.

There is no fixed version for org.keycloak:keycloak-services.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Time-of-check Time-of-use (TOCTOU) Race Condition via the validateTokenReuse method in the TokenManager class. An attacker can obtain multiple access tokens from a single refresh token by making concurrent refresh requests.

Upgrade org.keycloak:keycloak-services to version 26.4.11, 26.5.6 or higher.