org.keycloak:keycloak-services 26.6.1

Direct Vulnerabilities

Known vulnerabilities in the org.keycloak:keycloak-services package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
H Authorization Bypass Through User-Controlled Key org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key in the cross-session email verification process. An attacker can gain persistent access to another user's local account by consuming the verification proof when controlling an upstream identity provider account that shares an email address with the victim. This is only exploitable if the attacker controls an upstream identity provider account with the same email as the victim, the victim is actively linking their account, email verification is enabled, and the identity provider is configured with `trustEmail=false`. How to fix Authorization Bypass Through User-Controlled Key? There is no fixed version for `org.keycloak:keycloak-services`.	[26.3.0,)
L Improper Certificate Validation org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Improper Certificate Validation via packed self-attestation in `WebAuthn` registration. An attacker can bypass the AAGUID allowlist by returning self-attestation when direct attestation is requested, as the AAGUID is not verified in this case, allowing registration with an unapproved authenticator. The attack surface is limited, as project maintainers note: "By default, for a simple implementation, attestation and AAGUIDs may not be considered necessary." How to fix Improper Certificate Validation? A fix was pushed into the `master` branch but not yet published.	[0,)
M Forced Browsing org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Forced Browsing via the `account` and `account-api` features when the server is started with `--features-disabled=account,account-api`. An authenticated user with API access can perform unauthorized read and write operations on specific account endpoints by bypassing the intended feature disablement. How to fix Forced Browsing? There is no fixed version for `org.keycloak:keycloak-services`.	[0,)
M Origin Validation Error org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Origin Validation Error in the UMA token endpoint when the `azp` claim from a client-supplied JWT is used to set the `Access-Control-Allow-Origin` header before the JWT signature is validated. An attacker can cause low-sensitivity information from authorization server error responses to be exposed by injecting a specially crafted JWT with a malicious `azp` value, which is reflected as the CORS origin. Note: This is only exploitable if the target client is misconfigured with `webOrigins: ["*"]`. How to fix Origin Validation Error? There is no fixed version for `org.keycloak:keycloak-services`.	[0,)
L Server-side Request Forgery (SSRF) org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via the `client_session_host` parameter during refresh token requests when the client is configured to use the `backchannel.logout.url` with the `application.session.host` placeholder. An attacker can cause the server to make HTTP requests to arbitrary internal or external endpoints by manipulating this parameter, potentially leading to information disclosure by probing internal networks or APIs. How to fix Server-side Request Forgery (SSRF)? There is no fixed version for `org.keycloak:keycloak-services`.	[0,)
M Access Control Bypass org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Access Control Bypass due to incomplete enforcement of access control checks on PUT operations to the `resource_set` endpoint. An attacker can modify protected resources without proper authorization by sending crafted requests to this endpoint when the `allowRemoteResourceManagement` setting is set to false. How to fix Access Control Bypass? There is no fixed version for `org.keycloak:keycloak-services`.	[0,)
M Server-side Request Forgery (SSRF) org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via insufficient validation of the `backchannel_client_notification_endpoint`, which is configured during client registration or administration. A privileged user can make unauthorized requests to internal services, but cannot access the responses. How to fix Server-side Request Forgery (SSRF)? There is no fixed version for `org.keycloak:keycloak-services`.	[0,)

Vulnerability

Vulnerable Version

Authorization Bypass Through User-Controlled Key

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key in the cross-session email verification process. An attacker can gain persistent access to another user's local account by consuming the verification proof when controlling an upstream identity provider account that shares an email address with the victim. This is only exploitable if the attacker controls an upstream identity provider account with the same email as the victim, the victim is actively linking their account, email verification is enabled, and the identity provider is configured with trustEmail=false.

How to fix Authorization Bypass Through User-Controlled Key?

There is no fixed version for org.keycloak:keycloak-services.

[26.3.0,)

Improper Certificate Validation

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Improper Certificate Validation via packed self-attestation in WebAuthn registration. An attacker can bypass the AAGUID allowlist by returning self-attestation when direct attestation is requested, as the AAGUID is not verified in this case, allowing registration with an unapproved authenticator.

The attack surface is limited, as project maintainers note: "By default, for a simple implementation, attestation and AAGUIDs may not be considered necessary."

How to fix Improper Certificate Validation?

A fix was pushed into the master branch but not yet published.

[0,)

Forced Browsing

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Forced Browsing via the account and account-api features when the server is started with --features-disabled=account,account-api. An authenticated user with API access can perform unauthorized read and write operations on specific account endpoints by bypassing the intended feature disablement.

How to fix Forced Browsing?

There is no fixed version for org.keycloak:keycloak-services.

[0,)

Origin Validation Error

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Origin Validation Error in the UMA token endpoint when the azp claim from a client-supplied JWT is used to set the Access-Control-Allow-Origin header before the JWT signature is validated. An attacker can cause low-sensitivity information from authorization server error responses to be exposed by injecting a specially crafted JWT with a malicious azp value, which is reflected as the CORS origin.

Note:

This is only exploitable if the target client is misconfigured with webOrigins: ["*"].

How to fix Origin Validation Error?

There is no fixed version for org.keycloak:keycloak-services.

[0,)

Server-side Request Forgery (SSRF)

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via the client_session_host parameter during refresh token requests when the client is configured to use the backchannel.logout.url with the application.session.host placeholder. An attacker can cause the server to make HTTP requests to arbitrary internal or external endpoints by manipulating this parameter, potentially leading to information disclosure by probing internal networks or APIs.

How to fix Server-side Request Forgery (SSRF)?

There is no fixed version for org.keycloak:keycloak-services.

[0,)

Access Control Bypass

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Access Control Bypass due to incomplete enforcement of access control checks on PUT operations to the resource_set endpoint. An attacker can modify protected resources without proper authorization by sending crafted requests to this endpoint when the allowRemoteResourceManagement setting is set to false.

How to fix Access Control Bypass?

There is no fixed version for org.keycloak:keycloak-services.

[0,)

Server-side Request Forgery (SSRF)

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via insufficient validation of the backchannel_client_notification_endpoint, which is configured during client registration or administration. A privileged user can make unauthorized requests to internal services, but cannot access the responses.

How to fix Server-side Request Forgery (SSRF)?

There is no fixed version for org.keycloak:keycloak-services.

[0,)

org.keycloak:keycloak-services@26.6.1

latest version

first published

latest version published

licenses detected

package registry

Direct Vulnerabilities

Fix vulnerabilities automatically