org.keycloak:keycloak-services@26.0.5

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Information Exposure in the identity-first login flow when Organizations are enabled. An attacker can obtain information about the existence of users by analyzing differential error messages.

There is no fixed version for org.keycloak:keycloak-services.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Access Control Bypass due to incomplete enforcement of access control checks on PUT operations to the resource_set endpoint. An attacker can modify protected resources without proper authorization by sending crafted requests to this endpoint when the allowRemoteResourceManagement setting is set to false.

There is no fixed version for org.keycloak:keycloak-services.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) when processing client configuration requests. An attacker can make unintended requests to internal or restricted resources by sending a malicious sector_identifier_uri that accesses addresses such as a cloud metadata services at 169.254.169.254.

There is no fixed version for org.keycloak:keycloak-services.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Improper Validation of Specified Type of Input via improper validation of encrypted SAML assertions. An attacker can gain unauthorized access by submitting specially crafted SAML assertions.

Upgrade org.keycloak:keycloak-services to version 26.2.14, 26.4.10, 26.5.5 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Authentication Bypass by Primary Weakness via the SAML Identity Provider authentication process when it is disabled. An attacker can gain unauthorized access by exploiting the ability to authenticate through a provider that should not be available.

Upgrade org.keycloak:keycloak-services to version 26.2.14, 26.4.10, 26.5.5 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the IdentityBrokerService.performLogin endpoint. An attacker can gain unauthorized access and bypass administrative restrictions by reusing a previously generated login request referencing a disabled external identity provider.

Upgrade org.keycloak:keycloak-services to version 26.2.14, 26.4.10, 26.5.5 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Authentication Bypass by Primary Weakness when a disabled SAML client is configured as an Identity Provider (IdP)-initiated broker landing target. An attacker can gain unauthorized access to other enabled clients via a Single Sign-On (SSO) session.

Upgrade org.keycloak:keycloak-services to version 26.2.14, 26.4.10, 26.5.5 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Missing Critical Step in Authentication due to insufficient validation of the authentication Level of Assurance in the Account REST API. An attacker can gain control over a victim's account by deleting the victim's registered MFA device and registering their own, provided they have obtained the victim's primary credentials.

There is no fixed version for org.keycloak:keycloak-services.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Improper Handling of Insufficient Permissions or Privileges via improper enforcement of roles in the UMA 2.0 Protection API which fails to enforce the uma_protection role check. An attacker can access sensitive information by leveraging insufficient permission checks.

There is no fixed version for org.keycloak:keycloak-services.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Incorrect Privilege Assignment via the manage-clients permission assignment. An attacker can gain unauthorized access to higher-privileged operations by exploiting insufficient enforcement of access controls.

Upgrade org.keycloak:keycloak-services to version 26.5.6 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Improper Authorization in the /protocol/docker-v2/auth endpoint, which does not ensure that the client is in “Enabled” status before granting an access token. This allows a user in possession of valid credentials and the client ID of a disabled client to bypass administrative restrictions.

Upgrade org.keycloak:keycloak-services to version 26.5.4 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Improper Handling of Highly Compressed Data (Data Amplification) via the SAMLRequest DEFLATE decompression. An attacker can cause service disruption by sending a highly compressed requests that trigger excessive resource consumption during decompression.

Upgrade org.keycloak:keycloak-services to version 26.5.4 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the Admin API when the Organizations feature is enabled. An authenticated attacker can enumerate the organization memberships of any other user if their unique identifier (UUID) is known.

Note:

This is only exploitable if the Organizations feature is enabled (which is the default in recent versions), the attacker possesses a valid access token for the realm and the attacker knows the UUID of the victim user.

Upgrade org.keycloak:keycloak-services to version 26.5.6 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature in the invitation tokens in the registration process. An attacker can gain unauthorized access to organizations by modifying the organization ID and target email within a legitimate invitation token's JWT payload.

Upgrade org.keycloak:keycloak-services to version 26.5.3 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Improperly Implemented Security Check for Standard due to improper verification if an Identity Provider (IdP) is enabled before issuing tokens. An attacker can gain unauthorized access by issuing valid access tokens using a disabled Identity Provider's signing key.

Upgrade org.keycloak:keycloak-services to version 26.5.3 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Incorrect Privilege Assignment due to insufficient ownership verification in the UserManagedPermissionService (UMA Protection API). An attacker can gain unauthorized access to modify or delete authorization rules for resources they do not own by updating or deleting a policy associated with multiple resources, where the authorization check only validates ownership of the first resource in the list.

Upgrade org.keycloak:keycloak-services to version 26.5.3 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via insufficient validation of the backchannel_client_notification_endpoint, which is configured during client registration or administration. A privileged user can make unauthorized requests to internal services, but cannot access the responses.

There is no fixed version for org.keycloak:keycloak-services.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Improper Enforcement of Behavioral Workflow via the Token Exchange implementation. An attacker can obtain access and refresh tokens for users who have been disabled by invoking the token exchange flow with a privileged client, potentially resulting in unauthorized access to previously revoked privileges.

Upgrade org.keycloak:keycloak-services to version 26.5.2 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Time-of-check Time-of-use (TOCTOU) Race Condition via the validateTokenReuse method in the TokenManager class. An attacker can obtain multiple access tokens from a single refresh token by making concurrent refresh requests.

A fix was pushed into the master branch but not yet published.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Missing XML Validation of the NotOnOrAfter timestamp in SubjectConfirmationData when SAML is configured to act as a client (SAML brokering). An attacker can extend the validity of SAML responses by manipulating the timestamp, potentially resulting in prolonged session durations or increased resource usage.

Upgrade org.keycloak:keycloak-services to version 26.5.4 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Incorrect Behavior Order: Authorization Before Parsing and Canonicalization due to the Authorization header parser accepting non-standard characters as separators and tolerating case variations that do not comply with RFC 6750 specifications. An attacker can bypass intended access restrictions by crafting specially formatted authentication headers.

Upgrade org.keycloak:keycloak-services to version 26.5.4 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Authentication Bypass by Alternate Name via the ResourceSetService and PermissionTicketService modules due to improper verification of resourceServer ID. An attacker can access and modify resources belonging to other clients by supplying a valid resourceId in the admin API endpoints, bypassing proper authorization checks.

Upgrade org.keycloak:keycloak-services to version 26.5.6 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Access Control Bypass via the /admin/realms/master/users/profile endpoint. An attacker can access internal user profile schema data by leveraging 'create-client' permissions.

Upgrade org.keycloak:keycloak-services to version 26.5.0 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Missing Critical Step in Authentication in the WebAuthn Attestation Statement verification. An attacker can influence policy enforcement by manipulating the registration flow or using a rogue authenticator under user control.

Upgrade org.keycloak:keycloak-services to version 26.5.1 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to CRLF Injection during the e-mail registration. An attacker can cause the system to send unsolicited emails limited to 64 characters by injecting special characters into the email input field.

Upgrade org.keycloak:keycloak-services to version 26.3.3 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Insufficient Session Expiration due to the offline session of a user not being invalidated when the offline_access scope is removed. An attacker can maintain access to refresh tokens and continue to request new tokens by leveraging a session that should have been invalidated after scope removal.

Upgrade org.keycloak:keycloak-services to version 26.3.0 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Insufficient Session Expiration in the "Remember Me" realm setting. An attacker with a long-lived "Remember Me" session (e.g., stole the identity cookie) can maintain access for the full original remember-me lifetime to gain unauthorized access to sensitive information or perform actions as another user.

Upgrade org.keycloak:keycloak-services to version 26.4.2 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Exposure of Sensitive System Information to an Unauthorized Control Sphere via the /admin/serverinfo endpoint, which exposes internal server details, when an authenticated user logs into the system or accesses the admin console.

Note: Direct access to this endpoint returns a 401 Unauthorized error.

Upgrade org.keycloak:keycloak-services to version 26.4.0 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Improper Privilege Management via improper privilege enforcement in the Fine-Grained Admin Permissions process. An attacker can gain unauthorized administrative access by leveraging a user account with the manage-users role to escalate privileges to realm-admin. This is because policies and permissions share the same table internally.

Note: It is recommended to use a unique name for the permission; The name must not conflict with any policy name.

Upgrade org.keycloak:keycloak-services to version 26.3.0 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Origin Validation Error via the review profile process. An attacker can gain unauthorized access to another user's account by initiating an account merge during an identity provider login and modifying their email address to match the victim's, which results in a verification email being sent to the victim. If the victim clicks the verification link, the attacker is able to access the victim's account.

Note:

This is only exploitable if IdP is configured in Keycloak and the attacker has access both to a registered Keycloak and identity provider account. Additionally, an attacker would need to know the email or Keycloak username of the victim. Finally, the victim would need to accept the verification link within the 5 minutes that the token is active.

Upgrade org.keycloak:keycloak-services to version 26.3.0 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Improper Validation of Certificate with Host Mismatch when setting the verification policy to 'ALL'. This is supposed to skip hostname check but an unintended side effect is skipping trust store certificate verification. An attacker can read sensitive data from the system and perform spoofing or redirection attacks by exploiting this vulnerability.

Note:

The ANY mode should not be used in production.

Upgrade org.keycloak:keycloak-services to version 26.2.2 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Improper Authentication. An attacker can circumvent required actions configured by an administrator such as setting up 2FA by using AIA (Application-initiated actions). If a user account has been required by an administrator to perform a required action, the same user can pass in a URL parameter during the sign in process to exploit this vulnerability.

Upgrade org.keycloak:keycloak-services to version 26.2.2 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling when caching JWT tokens, which are not limited in their expiration time. An attacker can cause the consumption of excessive memory by sending malicious JWT tokens.

Upgrade org.keycloak:keycloak-services to version 26.0.11, 26.1.5 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Incorrect User Management in oidc/OrganizationMembershipMapper.java, which relies on matching the domain of a user's email address to map them to an organization. A user can make an unauthorized token claim including association with an organization that they are not actually mapped to. If self-registration is enabled and unrestricted, this is easier to exploit.

Upgrade org.keycloak:keycloak-services to version 26.1.3 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Exposure of Sensitive Information Through Environmental Variables through user-configurable URLs.

Exploiting this vulnerability is possible with the configuration of backchannel logout URLs or admin URLs, when including placeholders like ${env.VARNAME} or ${PROPNAME}, which are replaced with actual values during URL processing. An attacker can access sensitive server environment variables and system properties.

Upgrade org.keycloak:keycloak-services to version 26.0.8 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Denial of Service (DoS) by modification of security headers and inserting newlines. An attacker can cause the server to process a terminated request, leading to service failure.

Note: This is only exploitable if the attacker can change realm settings.

Upgrade org.keycloak:keycloak-services to version 26.0.8 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to External Control of File Name or Path. An attacker could read sensitive information from a Vault file that is not within the expected context by exploiting this vulnerability.

Note:

This is only exploitable if the attacker has previous high access to the Keycloak server in order to perform resource creation.

Upgrade org.keycloak:keycloak-services to version 26.0.6 or higher.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via the SearchQueryUtils method due to improper input sanitization. An attacker could exhaust system resources and achieve denial of service by exploiting this vulnerability.

Upgrade org.keycloak:keycloak-services to version 26.0.6 or higher.