org.keycloak:keycloak-services 26.5.6

Direct Vulnerabilities

Known vulnerabilities in the org.keycloak:keycloak-services package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
M Origin Validation Error org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Origin Validation Error in the UMA token endpoint when the `azp` claim from a client-supplied JWT is used to set the `Access-Control-Allow-Origin` header before the JWT signature is validated. An attacker can cause low-sensitivity information from authorization server error responses to be exposed by injecting a specially crafted JWT with a malicious `azp` value, which is reflected as the CORS origin. Note: This is only exploitable if the target client is misconfigured with `webOrigins: ["*"]`. How to fix Origin Validation Error? There is no fixed version for `org.keycloak:keycloak-services`.	[0,)
H Excessive Platform Resource Consumption within a Loop org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Excessive Platform Resource Consumption within a Loop via the `scope` parameter processing in the OpenID Connect (OIDC) token endpoint. An attacker can exhaust server resources and cause prolonged response times by sending a specially crafted POST request with an excessively long `scope` value. How to fix Excessive Platform Resource Consumption within a Loop? Upgrade `org.keycloak:keycloak-services` to version 26.5.7 or higher.	[,26.5.7)
C Improper Isolation or Compartmentalization org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Improper Isolation or Compartmentalization due to improper type and namespace isolation in the `SingleUseObjectProvider`. An attacker can obtain unauthorized access by forging authorization codes, which may result in the creation of admin-level access tokens. How to fix Improper Isolation or Compartmentalization? Upgrade `org.keycloak:keycloak-services` to version 26.5.7 or higher.	[,26.5.7)
H Open Redirect org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Open Redirect via improper validation of redirect URIs in the authentication endpoint. An attacker can gain unauthorized access to sensitive information by exploiting path traversal sequences in the redirect parameter, potentially leading to the theft of access tokens. How to fix Open Redirect? Upgrade `org.keycloak:keycloak-services` to version 26.5.7 or higher.	[,26.5.7)
H Incorrect Behavior Order: Authorization Before Parsing and Canonicalization org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Incorrect Behavior Order: Authorization Before Parsing and Canonicalization via the UMA Policy Resource (user with the `uma_protection` role). An attacker can gain unauthorized access to resources owned by other users by including their resource identifiers in a policy creation request, allowing them to obtain sensitive information or perform actions without proper authorization. How to fix Incorrect Behavior Order: Authorization Before Parsing and Canonicalization? Upgrade `org.keycloak:keycloak-services` to version 26.5.7 or higher.	[,26.5.7)
M Improper Isolation or Compartmentalization org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Improper Isolation or Compartmentalization through improper handling of single-use entries in the `SingleUseObjectProvider` a global key-value store. An attacker can gain unauthorized access or compromise accounts by replaying consumed action tokens, such as password reset links. How to fix Improper Isolation or Compartmentalization? Upgrade `org.keycloak:keycloak-services` to version 26.5.7 or higher.	[,26.5.7)
L Server-side Request Forgery (SSRF) org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via the `client_session_host` parameter during refresh token requests when the client is configured to use the `backchannel.logout.url` with the `application.session.host` placeholder. An attacker can cause the server to make HTTP requests to arbitrary internal or external endpoints by manipulating this parameter, potentially leading to information disclosure by probing internal networks or APIs. How to fix Server-side Request Forgery (SSRF)? There is no fixed version for `org.keycloak:keycloak-services`.	[0,)
M Information Exposure org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Information Exposure in the identity-first login flow when Organizations are enabled. An attacker can obtain information about the existence of users by analyzing differential error messages. How to fix Information Exposure? A fix was pushed into the `master` branch but not yet published.	[0,)
M Access Control Bypass org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Access Control Bypass due to incomplete enforcement of access control checks on PUT operations to the `resource_set` endpoint. An attacker can modify protected resources without proper authorization by sending crafted requests to this endpoint when the `allowRemoteResourceManagement` setting is set to false. How to fix Access Control Bypass? There is no fixed version for `org.keycloak:keycloak-services`.	[0,)
M Server-side Request Forgery (SSRF) org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) when processing client configuration requests. An attacker can make unintended requests to internal or restricted resources by sending a malicious `sector_identifier_uri` that accesses addresses such as a cloud metadata services at `169.254.169.254`. How to fix Server-side Request Forgery (SSRF)? There is no fixed version for `org.keycloak:keycloak-services`.	[0,)
L Missing Critical Step in Authentication org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Missing Critical Step in Authentication due to insufficient validation of the authentication Level of Assurance in the Account REST API. An attacker can gain control over a victim's account by deleting the victim's registered MFA device and registering their own, provided they have obtained the victim's primary credentials. How to fix Missing Critical Step in Authentication? Upgrade `org.keycloak:keycloak-services` to version 26.5.7 or higher.	[,26.5.7)
M Server-side Request Forgery (SSRF) org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via insufficient validation of the `backchannel_client_notification_endpoint`, which is configured during client registration or administration. A privileged user can make unauthorized requests to internal services, but cannot access the responses. How to fix Server-side Request Forgery (SSRF)? There is no fixed version for `org.keycloak:keycloak-services`.	[0,)

Vulnerability

Vulnerable Version

Origin Validation Error

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Origin Validation Error in the UMA token endpoint when the azp claim from a client-supplied JWT is used to set the Access-Control-Allow-Origin header before the JWT signature is validated. An attacker can cause low-sensitivity information from authorization server error responses to be exposed by injecting a specially crafted JWT with a malicious azp value, which is reflected as the CORS origin.

Note:

This is only exploitable if the target client is misconfigured with webOrigins: ["*"].

How to fix Origin Validation Error?

There is no fixed version for org.keycloak:keycloak-services.

[0,)

Excessive Platform Resource Consumption within a Loop

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Excessive Platform Resource Consumption within a Loop via the scope parameter processing in the OpenID Connect (OIDC) token endpoint. An attacker can exhaust server resources and cause prolonged response times by sending a specially crafted POST request with an excessively long scope value.

How to fix Excessive Platform Resource Consumption within a Loop?

Upgrade org.keycloak:keycloak-services to version 26.5.7 or higher.

[,26.5.7)

Improper Isolation or Compartmentalization

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Improper Isolation or Compartmentalization due to improper type and namespace isolation in the SingleUseObjectProvider. An attacker can obtain unauthorized access by forging authorization codes, which may result in the creation of admin-level access tokens.

How to fix Improper Isolation or Compartmentalization?

Upgrade org.keycloak:keycloak-services to version 26.5.7 or higher.

[,26.5.7)

Open Redirect

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Open Redirect via improper validation of redirect URIs in the authentication endpoint. An attacker can gain unauthorized access to sensitive information by exploiting path traversal sequences in the redirect parameter, potentially leading to the theft of access tokens.

How to fix Open Redirect?

Upgrade org.keycloak:keycloak-services to version 26.5.7 or higher.

[,26.5.7)

Incorrect Behavior Order: Authorization Before Parsing and Canonicalization

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Incorrect Behavior Order: Authorization Before Parsing and Canonicalization via the UMA Policy Resource (user with the uma_protection role). An attacker can gain unauthorized access to resources owned by other users by including their resource identifiers in a policy creation request, allowing them to obtain sensitive information or perform actions without proper authorization.

How to fix Incorrect Behavior Order: Authorization Before Parsing and Canonicalization?

Upgrade org.keycloak:keycloak-services to version 26.5.7 or higher.

[,26.5.7)

Improper Isolation or Compartmentalization

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Improper Isolation or Compartmentalization through improper handling of single-use entries in the SingleUseObjectProvider a global key-value store. An attacker can gain unauthorized access or compromise accounts by replaying consumed action tokens, such as password reset links.

How to fix Improper Isolation or Compartmentalization?

Upgrade org.keycloak:keycloak-services to version 26.5.7 or higher.

[,26.5.7)

Server-side Request Forgery (SSRF)

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via the client_session_host parameter during refresh token requests when the client is configured to use the backchannel.logout.url with the application.session.host placeholder. An attacker can cause the server to make HTTP requests to arbitrary internal or external endpoints by manipulating this parameter, potentially leading to information disclosure by probing internal networks or APIs.

How to fix Server-side Request Forgery (SSRF)?

There is no fixed version for org.keycloak:keycloak-services.

[0,)

Information Exposure

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Information Exposure in the identity-first login flow when Organizations are enabled. An attacker can obtain information about the existence of users by analyzing differential error messages.

How to fix Information Exposure?

A fix was pushed into the master branch but not yet published.

[0,)

Access Control Bypass

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Access Control Bypass due to incomplete enforcement of access control checks on PUT operations to the resource_set endpoint. An attacker can modify protected resources without proper authorization by sending crafted requests to this endpoint when the allowRemoteResourceManagement setting is set to false.

How to fix Access Control Bypass?

There is no fixed version for org.keycloak:keycloak-services.

[0,)

Server-side Request Forgery (SSRF)

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) when processing client configuration requests. An attacker can make unintended requests to internal or restricted resources by sending a malicious sector_identifier_uri that accesses addresses such as a cloud metadata services at 169.254.169.254.

How to fix Server-side Request Forgery (SSRF)?

There is no fixed version for org.keycloak:keycloak-services.

[0,)

Missing Critical Step in Authentication

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Missing Critical Step in Authentication due to insufficient validation of the authentication Level of Assurance in the Account REST API. An attacker can gain control over a victim's account by deleting the victim's registered MFA device and registering their own, provided they have obtained the victim's primary credentials.

How to fix Missing Critical Step in Authentication?

Upgrade org.keycloak:keycloak-services to version 26.5.7 or higher.

[,26.5.7)

Server-side Request Forgery (SSRF)

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via insufficient validation of the backchannel_client_notification_endpoint, which is configured during client registration or administration. A privileged user can make unauthorized requests to internal services, but cannot access the responses.

How to fix Server-side Request Forgery (SSRF)?

There is no fixed version for org.keycloak:keycloak-services.

[0,)

org.keycloak:keycloak-services@26.5.6

latest version

first published

latest version published

licenses detected

package registry

Direct Vulnerabilities

Fix vulnerabilities automatically