org.keycloak:keycloak-server-spi-private 26.3.1

Direct Vulnerabilities

Known vulnerabilities in the org.keycloak:keycloak-server-spi-private package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
H Authentication Bypass by Primary Weakness org.keycloak:keycloak-server-spi-private is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Authentication Bypass by Primary Weakness via the SAML Identity Provider authentication process when it is disabled. An attacker can gain unauthorized access by exploiting the ability to authenticate through a provider that should not be available. How to fix Authentication Bypass by Primary Weakness? Upgrade `org.keycloak:keycloak-server-spi-private` to version 26.2.14, 26.4.10, 26.5.5 or higher.	[,26.2.14)[26.3.0,26.4.10)[26.5.0,26.5.5)
H Authorization Bypass Through User-Controlled Key org.keycloak:keycloak-server-spi-private is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the `IdentityBrokerService.performLogin` endpoint. An attacker can gain unauthorized access and bypass administrative restrictions by reusing a previously generated login request referencing a disabled external identity provider. How to fix Authorization Bypass Through User-Controlled Key? Upgrade `org.keycloak:keycloak-server-spi-private` to version 26.2.14, 26.4.10, 26.5.5 or higher.	[,26.2.14)[26.3.0,26.4.10)[26.5.0,26.5.5)
M Access Control Bypass org.keycloak:keycloak-server-spi-private is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Access Control Bypass due to the `DefaultAttributes` attribute filtering in the user profile management. An attacker with `manage-users` permission can make unauthorized modifications to user profile attributes even when the “Only administrators can view” policy is enabled by bypassing the edit restriction on unmanaged attributes. How to fix Access Control Bypass? Upgrade `org.keycloak:keycloak-server-spi-private` to version 26.5.2 or higher.	[,26.5.2)
M Incorrect Privilege Assignment org.keycloak:keycloak-server-spi-private is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Incorrect Privilege Assignment via the Admin API. An attacker can access sensitive user attributes by sending crafted requests with limited administrator privileges. Note: This is only exploitable if the attacker has a valid account on the realm, has view-users role and the target realm uses the User Profile feature with custom attributes set to restricted visibility. How to fix Incorrect Privilege Assignment? Upgrade `org.keycloak:keycloak-server-spi-private` to version 26.5.2 or higher.	[,26.5.2)
M Access Control Bypass org.keycloak:keycloak-server-spi-private is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Access Control Bypass via insufficient authorization checks on the `/admin/realms/{realm}/roles` endpoint. A remote authenticated attacker with high-privileges can access sensitive role metadata by sending crafted requests with elevated privileges. How to fix Access Control Bypass? Upgrade `org.keycloak:keycloak-server-spi-private` to version 26.5.0 or higher.	[0,26.5.0)
M CRLF Injection org.keycloak:keycloak-server-spi-private is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to CRLF Injection during the e-mail registration. An attacker can cause the system to send unsolicited emails limited to 64 characters by injecting special characters into the email input field. How to fix CRLF Injection? Upgrade `org.keycloak:keycloak-server-spi-private` to version 26.3.3 or higher.	[,26.3.3)

Vulnerability

Vulnerable Version

Authentication Bypass by Primary Weakness

org.keycloak:keycloak-server-spi-private is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Authentication Bypass by Primary Weakness via the SAML Identity Provider authentication process when it is disabled. An attacker can gain unauthorized access by exploiting the ability to authenticate through a provider that should not be available.

How to fix Authentication Bypass by Primary Weakness?

Upgrade org.keycloak:keycloak-server-spi-private to version 26.2.14, 26.4.10, 26.5.5 or higher.

[,26.2.14)[26.3.0,26.4.10)[26.5.0,26.5.5)

Authorization Bypass Through User-Controlled Key

org.keycloak:keycloak-server-spi-private is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the IdentityBrokerService.performLogin endpoint. An attacker can gain unauthorized access and bypass administrative restrictions by reusing a previously generated login request referencing a disabled external identity provider.

How to fix Authorization Bypass Through User-Controlled Key?

Upgrade org.keycloak:keycloak-server-spi-private to version 26.2.14, 26.4.10, 26.5.5 or higher.

[,26.2.14)[26.3.0,26.4.10)[26.5.0,26.5.5)

Access Control Bypass

org.keycloak:keycloak-server-spi-private is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Access Control Bypass due to the DefaultAttributes attribute filtering in the user profile management. An attacker with manage-users permission can make unauthorized modifications to user profile attributes even when the “Only administrators can view” policy is enabled by bypassing the edit restriction on unmanaged attributes.

How to fix Access Control Bypass?

Upgrade org.keycloak:keycloak-server-spi-private to version 26.5.2 or higher.

[,26.5.2)

Incorrect Privilege Assignment

org.keycloak:keycloak-server-spi-private is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Incorrect Privilege Assignment via the Admin API. An attacker can access sensitive user attributes by sending crafted requests with limited administrator privileges.

Note:

This is only exploitable if the attacker has a valid account on the realm, has view-users role and the target realm uses the User Profile feature with custom attributes set to restricted visibility.

How to fix Incorrect Privilege Assignment?

Upgrade org.keycloak:keycloak-server-spi-private to version 26.5.2 or higher.

[,26.5.2)

Access Control Bypass

org.keycloak:keycloak-server-spi-private is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Access Control Bypass via insufficient authorization checks on the /admin/realms/{realm}/roles endpoint. A remote authenticated attacker with high-privileges can access sensitive role metadata by sending crafted requests with elevated privileges.

How to fix Access Control Bypass?

Upgrade org.keycloak:keycloak-server-spi-private to version 26.5.0 or higher.

[0,26.5.0)

CRLF Injection

org.keycloak:keycloak-server-spi-private is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to CRLF Injection during the e-mail registration. An attacker can cause the system to send unsolicited emails limited to 64 characters by injecting special characters into the email input field.

How to fix CRLF Injection?

Upgrade org.keycloak:keycloak-server-spi-private to version 26.3.3 or higher.

[,26.3.3)

org.keycloak:keycloak-server-spi-private@26.3.1

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package registry

Direct Vulnerabilities

Fix vulnerabilities automatically