org.keycloak:keycloak-services 26.5.7

Direct Vulnerabilities

Known vulnerabilities in the org.keycloak:keycloak-services package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
M Origin Validation Error org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Origin Validation Error in the UMA token endpoint when the `azp` claim from a client-supplied JWT is used to set the `Access-Control-Allow-Origin` header before the JWT signature is validated. An attacker can cause low-sensitivity information from authorization server error responses to be exposed by injecting a specially crafted JWT with a malicious `azp` value, which is reflected as the CORS origin. Note: This is only exploitable if the target client is misconfigured with `webOrigins: ["*"]`. How to fix Origin Validation Error? There is no fixed version for `org.keycloak:keycloak-services`.	[0,)
L Server-side Request Forgery (SSRF) org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via the `client_session_host` parameter during refresh token requests when the client is configured to use the `backchannel.logout.url` with the `application.session.host` placeholder. An attacker can cause the server to make HTTP requests to arbitrary internal or external endpoints by manipulating this parameter, potentially leading to information disclosure by probing internal networks or APIs. How to fix Server-side Request Forgery (SSRF)? There is no fixed version for `org.keycloak:keycloak-services`.	[0,)
M Information Exposure org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Information Exposure in the identity-first login flow when Organizations are enabled. An attacker can obtain information about the existence of users by analyzing differential error messages. How to fix Information Exposure? A fix was pushed into the `master` branch but not yet published.	[0,)
M Access Control Bypass org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Access Control Bypass due to incomplete enforcement of access control checks on PUT operations to the `resource_set` endpoint. An attacker can modify protected resources without proper authorization by sending crafted requests to this endpoint when the `allowRemoteResourceManagement` setting is set to false. How to fix Access Control Bypass? There is no fixed version for `org.keycloak:keycloak-services`.	[0,)
M Server-side Request Forgery (SSRF) org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) when processing client configuration requests. An attacker can make unintended requests to internal or restricted resources by sending a malicious `sector_identifier_uri` that accesses addresses such as a cloud metadata services at `169.254.169.254`. How to fix Server-side Request Forgery (SSRF)? There is no fixed version for `org.keycloak:keycloak-services`.	[0,)
M Server-side Request Forgery (SSRF) org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via insufficient validation of the `backchannel_client_notification_endpoint`, which is configured during client registration or administration. A privileged user can make unauthorized requests to internal services, but cannot access the responses. How to fix Server-side Request Forgery (SSRF)? There is no fixed version for `org.keycloak:keycloak-services`.	[0,)

Vulnerability

Vulnerable Version

Origin Validation Error

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Origin Validation Error in the UMA token endpoint when the azp claim from a client-supplied JWT is used to set the Access-Control-Allow-Origin header before the JWT signature is validated. An attacker can cause low-sensitivity information from authorization server error responses to be exposed by injecting a specially crafted JWT with a malicious azp value, which is reflected as the CORS origin.

Note:

This is only exploitable if the target client is misconfigured with webOrigins: ["*"].

How to fix Origin Validation Error?

There is no fixed version for org.keycloak:keycloak-services.

[0,)

Server-side Request Forgery (SSRF)

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via the client_session_host parameter during refresh token requests when the client is configured to use the backchannel.logout.url with the application.session.host placeholder. An attacker can cause the server to make HTTP requests to arbitrary internal or external endpoints by manipulating this parameter, potentially leading to information disclosure by probing internal networks or APIs.

How to fix Server-side Request Forgery (SSRF)?

There is no fixed version for org.keycloak:keycloak-services.

[0,)

Information Exposure

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Information Exposure in the identity-first login flow when Organizations are enabled. An attacker can obtain information about the existence of users by analyzing differential error messages.

How to fix Information Exposure?

A fix was pushed into the master branch but not yet published.

[0,)

Access Control Bypass

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Access Control Bypass due to incomplete enforcement of access control checks on PUT operations to the resource_set endpoint. An attacker can modify protected resources without proper authorization by sending crafted requests to this endpoint when the allowRemoteResourceManagement setting is set to false.

How to fix Access Control Bypass?

There is no fixed version for org.keycloak:keycloak-services.

[0,)

Server-side Request Forgery (SSRF)

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) when processing client configuration requests. An attacker can make unintended requests to internal or restricted resources by sending a malicious sector_identifier_uri that accesses addresses such as a cloud metadata services at 169.254.169.254.

How to fix Server-side Request Forgery (SSRF)?

There is no fixed version for org.keycloak:keycloak-services.

[0,)

Server-side Request Forgery (SSRF)

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via insufficient validation of the backchannel_client_notification_endpoint, which is configured during client registration or administration. A privileged user can make unauthorized requests to internal services, but cannot access the responses.

How to fix Server-side Request Forgery (SSRF)?

There is no fixed version for org.keycloak:keycloak-services.

[0,)

org.keycloak:keycloak-services@26.5.7

latest version

first published

latest version published

licenses detected

package registry

Direct Vulnerabilities

Fix vulnerabilities automatically