org.keycloak:keycloak-services@26.6.2

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Incorrect Authorization via the partialImport feature. An attacker can gain unauthorized administrative privileges by leveraging the POST /admin/realms/{realm}/partialImport endpoint to import users with elevated role mappings, thereby bypassing intended permission restrictions.

A fix was pushed into the master branch but not yet published.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Insufficient Granularity of Access Control in the getMembers() methods that serve the group members endpoint. An admin user with delegated access to read group memberships and users can read user profile attributes that are explicitly configured to be denied by using their delegated administrative access to expose those values over the group membership API.

Upgrade org.keycloak:keycloak-services to version 26.6.3 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Information Exposure via the SAML ECP endpoint when specially crafted SOAP requests are sent with varying client IDs. An attacker can obtain protocol type information associated with different client IDs by analyzing the faultstrings in the responses.

Upgrade org.keycloak:keycloak-services to version 26.6.3 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Improper Validation of Specified Quantity in Input in the TokenEndpoint endpoint when an oversized subject_token JWT exceeding 4000 characters is submitted. An attacker can gain unintended service account permissions by exploiting the fallback to client credentials that occurs when the oversized token is silently dropped.

Upgrade org.keycloak:keycloak-services to version 26.6.3 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Incorrect Privilege Assignment via improper enforcement of scope mapping in the Fine-Grained Admin Permissions (FGAPv2) feature due to ScopeMappedResource and ScopeMappedClientResource write endpoints missing a call to requireMapClientScope per role. An attacker can gain unauthorized access to privileged roles by injecting arbitrary realm roles into a client's scope, which are then projected into a user's authentication token upon login through the compromised client. This is only exploitable if Fine-Grained Admin Permissions (FGAPv2) are enabled and the attacker has fine-grained client management permissions, and a privileged user subsequently authenticates through the affected client.

Upgrade org.keycloak:keycloak-services to version 26.6.3 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Improper Validation of Consistency within Input via the authentication process when a client is configured with a wildcard redirect URI. An attacker can cause the client application to incorrectly process attacker-controlled OIDC response parameters by crafting a malicious authorization URL and tricking a user into clicking it.

A fix was pushed into the master branch but not yet published.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature via the requestObjectSignatureAlg policy bypass during the processing of JWE-encrypted request objects containing raw JSON plaintext. An attacker can submit unauthorized claims by crafting specially formed JWE-encrypted request objects, potentially compromising data integrity within the OpenID Connect authorization flow.

There is no fixed version for org.keycloak:keycloak-services.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Insufficient Session Expiration due to the startupTime reset during server restart when revokeRefreshToken=true and persistent session storage is enabled. An attacker can gain unauthorized access to user accounts by replaying a previously revoked refresh token that was captured before the restart.

Upgrade org.keycloak:keycloak-services to version 26.6.3 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Authentication Bypass by Primary Weakness via the Client-Initiated Backchannel Authentication (CIBA) flow. An attacker can continue authentication attempts and obtain tokens by exploiting the CIBA flow even when a user account is locked due to brute-force protection. This is only exploitable if CIBA is explicitly enabled and configured, and the user approves the authentication request on their device.

Upgrade org.keycloak:keycloak-services to version 26.6.3 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Out-of-bounds Read via the authorization header parsing in the ClientRegistrationAuth component. An attacker can cause a temporary disruption of service by sending a specially crafted request with a malformed 'Authorization: Bearer' header, which triggers an ArrayIndexOutOfBoundsException and results in an HTTP 500 error.

Upgrade org.keycloak:keycloak-services to version 26.6.3 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Time-of-check Time-of-use (TOCTOU) Race Condition in the role rename endpoint. An attacker can gain unauthorized administrative privileges by exploiting a timing window between permission checks and their enforcement. The attacker can escalate their access to realm-wide administrative control, even after their original permissions are revoked and across system reboots.

A fix was pushed into the master branch but not yet published.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Incorrect Authorization via the user-facing APIs when the Organizations feature is disabled. An attacker can access organization membership data and obtain tokens containing organization claims by making authenticated requests, even after an administrator has disabled the feature at the realm level.

Upgrade org.keycloak:keycloak-services to version 26.6.3 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Improper Handling of Insufficient Permissions or Privileges in the org.keycloak.protocol.oidc component when specific condition providers such as client-type, client-roles, client-attributes, or client-scopes are used. An attacker can gain unauthorized access and obtain authentication tokens by bypassing configured policy restrictions through Resource Owner Password Credentials (ROPC) grants, even when policies are set to block such requests. This is only exploitable if client policies rely on these condition providers to enforce ROPC grant rejection.

Upgrade org.keycloak:keycloak-services to version 26.6.3 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Incorrect Implementation of Authentication Algorithm through the TokenManager and OIDC endpoint token checks in the access token introspection, refresh token, and userinfo paths. An attacker can keep using a token after a realm-level not-before event by presenting it to introspection, refresh, or userinfo requests when client-level not-before values are also in play. This lets revoked or otherwise invalidated tokens remain accepted, allowing continued access to protected account, userinfo, and token-refresh operations until the token expires.

Upgrade org.keycloak:keycloak-services to version 26.6.3 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Client-Side Enforcement of Server-Side Security through the processAction() registration flow in the WebAuthn authenticator components. An attacker can register a credential that does not match the realm’s WebAuthn policy by modifying the browser-side registration parameters or by using an authenticator that returns a different algorithm than requested. The server accepts and stores credentials with disallowed algorithms or other mismatched registration properties, and the same stored credential is then used for future logins without any server-side policy check, leaving users with WebAuthn credentials that do not enforce the administrator’s configured requirements.

Upgrade org.keycloak:keycloak-services to version 26.6.3 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key in the cross-session email verification process. An attacker can gain persistent access to another user's local account by consuming the verification proof when controlling an upstream identity provider account that shares an email address with the victim. This is only exploitable if the attacker controls an upstream identity provider account with the same email as the victim, the victim is actively linking their account, email verification is enabled, and the identity provider is configured with trustEmail=false.

Upgrade org.keycloak:keycloak-services to version 26.6.3 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Forced Browsing via the account and account-api features when the server is started with --features-disabled=account,account-api. An authenticated user with API access can perform unauthorized read and write operations on specific account endpoints by bypassing the intended feature disablement.

Upgrade org.keycloak:keycloak-services to version 26.6.3 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Origin Validation Error in the UMA token endpoint when the azp claim from a client-supplied JWT is used to set the Access-Control-Allow-Origin header before the JWT signature is validated. An attacker can cause low-sensitivity information from authorization server error responses to be exposed by injecting a specially crafted JWT with a malicious azp value, which is reflected as the CORS origin.

Note:

This is only exploitable if the target client is misconfigured with webOrigins: ["*"].

Upgrade org.keycloak:keycloak-services to version 26.6.3 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via the client_session_host parameter during refresh token requests when the client is configured to use the backchannel.logout.url with the application.session.host placeholder. An attacker can cause the server to make HTTP requests to arbitrary internal or external endpoints by manipulating this parameter, potentially leading to information disclosure by probing internal networks or APIs.

Upgrade org.keycloak:keycloak-services to version 26.6.3 or higher.