org.keycloak:keycloak-services 26.0.6 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the org.keycloak:keycloak-services package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
M CRLF Injection org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to CRLF Injection during the e-mail registration. An attacker can cause the system to send unsolicited emails limited to 64 characters by injecting special characters into the email input field. How to fix CRLF Injection? Upgrade `org.keycloak:keycloak-services` to version 26.3.3 or higher.	[,26.3.3)
M Insufficient Session Expiration org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Insufficient Session Expiration due to the offline session of a user not being invalidated when the `offline_access` scope is removed. An attacker can maintain access to refresh tokens and continue to request new tokens by leveraging a session that should have been invalidated after scope removal. How to fix Insufficient Session Expiration? Upgrade `org.keycloak:keycloak-services` to version 26.3.0 or higher.	[,26.3.0)
L Insufficient Session Expiration org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Insufficient Session Expiration in the "Remember Me" realm setting. An attacker with a long-lived "Remember Me" session (e.g., stole the identity cookie) can maintain access for the full original remember-me lifetime to gain unauthorized access to sensitive information or perform actions as another user. How to fix Insufficient Session Expiration? There is no fixed version for `org.keycloak:keycloak-services`.	[0,)
M Exposure of Sensitive System Information to an Unauthorized Control Sphere org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Exposure of Sensitive System Information to an Unauthorized Control Sphere via the `/admin/serverinfo` endpoint, which exposes internal server details, when an authenticated user logs into the system or accesses the admin console. Note: Direct access to this endpoint returns a 401 Unauthorized error. How to fix Exposure of Sensitive System Information to an Unauthorized Control Sphere? There is no fixed version for `org.keycloak:keycloak-services`.	[0,)
L Improper Privilege Management org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Improper Privilege Management via improper privilege enforcement in the Fine-Grained Admin Permissions process. An attacker can gain unauthorized administrative access by leveraging a user account with the `manage-users` role to escalate privileges to realm-admin. This is because policies and permissions share the same table internally. Note: It is recommended to use a unique name for the permission; The name must not conflict with any policy name. How to fix Improper Privilege Management? Upgrade `org.keycloak:keycloak-services` to version 26.3.0 or higher.	[,26.3.0)
M Origin Validation Error org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Origin Validation Error via the `review profile` process. An attacker can gain unauthorized access to another user's account by initiating an account merge during an identity provider login and modifying their email address to match the victim's, which results in a verification email being sent to the victim. If the victim clicks the verification link, the attacker is able to access the victim's account. Note: This is only exploitable if IdP is configured in Keycloak and the attacker has access both to a registered Keycloak and identity provider account. Additionally, an attacker would need to know the email or Keycloak username of the victim. Finally, the victim would need to accept the verification link within the 5 minutes that the token is active. How to fix Origin Validation Error? Upgrade `org.keycloak:keycloak-services` to version 26.3.0 or higher.	[,26.3.0)
H Improper Validation of Certificate with Host Mismatch org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Improper Validation of Certificate with Host Mismatch when setting the verification policy to 'ALL'. This is supposed to skip hostname check but an unintended side effect is skipping trust store certificate verification. An attacker can read sensitive data from the system and perform spoofing or redirection attacks by exploiting this vulnerability. Note: The `ANY` mode should not be used in production. How to fix Improper Validation of Certificate with Host Mismatch? Upgrade `org.keycloak:keycloak-services` to version 26.2.2 or higher.	[,26.2.2)
M Improper Authentication org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Improper Authentication. An attacker can circumvent required actions configured by an administrator such as setting up 2FA by using AIA (Application-initiated actions). If a user account has been required by an administrator to perform a required action, the same user can pass in a URL parameter during the sign in process to exploit this vulnerability. How to fix Improper Authentication? Upgrade `org.keycloak:keycloak-services` to version 26.2.2 or higher.	[,26.2.2)
M Allocation of Resources Without Limits or Throttling org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling when caching JWT tokens, which are not limited in their expiration time. An attacker can cause the consumption of excessive memory by sending malicious JWT tokens. How to fix Allocation of Resources Without Limits or Throttling? Upgrade `org.keycloak:keycloak-services` to version 26.0.11, 26.1.5 or higher.	[23.0.0,26.0.11)[26.1.0,26.1.5)
M Incorrect User Management org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Incorrect User Management in `oidc/OrganizationMembershipMapper.java`, which relies on matching the domain of a user's email address to map them to an organization. A user can make an unauthorized token claim including association with an organization that they are not actually mapped to. If self-registration is enabled and unrestricted, this is easier to exploit. How to fix Incorrect User Management? Upgrade `org.keycloak:keycloak-services` to version 26.1.3 or higher.	[,26.1.3)
M Exposure of Sensitive Information Through Environmental Variables org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Exposure of Sensitive Information Through Environmental Variables through user-configurable URLs. Exploiting this vulnerability is possible with the configuration of backchannel logout URLs or admin URLs, when including placeholders like `${env.VARNAME}` or `${PROPNAME}`, which are replaced with actual values during URL processing. An attacker can access sensitive server environment variables and system properties. How to fix Exposure of Sensitive Information Through Environmental Variables? Upgrade `org.keycloak:keycloak-services` to version 26.0.8 or higher.	[,26.0.8)
M Denial of Service (DoS) org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Denial of Service (DoS) by modification of security headers and inserting newlines. An attacker can cause the server to process a terminated request, leading to service failure. Note: This is only exploitable if the attacker can change realm settings. How to fix Denial of Service (DoS)? Upgrade `org.keycloak:keycloak-services` to version 26.0.8 or higher.	[,26.0.8)

Vulnerability

Vulnerable Version

CRLF Injection

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to CRLF Injection during the e-mail registration. An attacker can cause the system to send unsolicited emails limited to 64 characters by injecting special characters into the email input field.

How to fix CRLF Injection?

Upgrade org.keycloak:keycloak-services to version 26.3.3 or higher.

[,26.3.3)

Insufficient Session Expiration

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Insufficient Session Expiration due to the offline session of a user not being invalidated when the offline_access scope is removed. An attacker can maintain access to refresh tokens and continue to request new tokens by leveraging a session that should have been invalidated after scope removal.

How to fix Insufficient Session Expiration?

Upgrade org.keycloak:keycloak-services to version 26.3.0 or higher.

[,26.3.0)

Insufficient Session Expiration

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Insufficient Session Expiration in the "Remember Me" realm setting. An attacker with a long-lived "Remember Me" session (e.g., stole the identity cookie) can maintain access for the full original remember-me lifetime to gain unauthorized access to sensitive information or perform actions as another user.

How to fix Insufficient Session Expiration?

There is no fixed version for org.keycloak:keycloak-services.

[0,)

Exposure of Sensitive System Information to an Unauthorized Control Sphere

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Exposure of Sensitive System Information to an Unauthorized Control Sphere via the /admin/serverinfo endpoint, which exposes internal server details, when an authenticated user logs into the system or accesses the admin console.

Note: Direct access to this endpoint returns a 401 Unauthorized error.

How to fix Exposure of Sensitive System Information to an Unauthorized Control Sphere?

There is no fixed version for org.keycloak:keycloak-services.

[0,)

Improper Privilege Management

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Improper Privilege Management via improper privilege enforcement in the Fine-Grained Admin Permissions process. An attacker can gain unauthorized administrative access by leveraging a user account with the manage-users role to escalate privileges to realm-admin. This is because policies and permissions share the same table internally.

Note: It is recommended to use a unique name for the permission; The name must not conflict with any policy name.

How to fix Improper Privilege Management?

Upgrade org.keycloak:keycloak-services to version 26.3.0 or higher.

[,26.3.0)

Origin Validation Error

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Origin Validation Error via the review profile process. An attacker can gain unauthorized access to another user's account by initiating an account merge during an identity provider login and modifying their email address to match the victim's, which results in a verification email being sent to the victim. If the victim clicks the verification link, the attacker is able to access the victim's account.

Note:

This is only exploitable if IdP is configured in Keycloak and the attacker has access both to a registered Keycloak and identity provider account. Additionally, an attacker would need to know the email or Keycloak username of the victim. Finally, the victim would need to accept the verification link within the 5 minutes that the token is active.

How to fix Origin Validation Error?

Upgrade org.keycloak:keycloak-services to version 26.3.0 or higher.

[,26.3.0)

Improper Validation of Certificate with Host Mismatch

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Improper Validation of Certificate with Host Mismatch when setting the verification policy to 'ALL'. This is supposed to skip hostname check but an unintended side effect is skipping trust store certificate verification. An attacker can read sensitive data from the system and perform spoofing or redirection attacks by exploiting this vulnerability.

Note:

The ANY mode should not be used in production.

How to fix Improper Validation of Certificate with Host Mismatch?

Upgrade org.keycloak:keycloak-services to version 26.2.2 or higher.

[,26.2.2)

Improper Authentication

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Improper Authentication. An attacker can circumvent required actions configured by an administrator such as setting up 2FA by using AIA (Application-initiated actions). If a user account has been required by an administrator to perform a required action, the same user can pass in a URL parameter during the sign in process to exploit this vulnerability.

How to fix Improper Authentication?

Upgrade org.keycloak:keycloak-services to version 26.2.2 or higher.

[,26.2.2)

Allocation of Resources Without Limits or Throttling

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling when caching JWT tokens, which are not limited in their expiration time. An attacker can cause the consumption of excessive memory by sending malicious JWT tokens.

How to fix Allocation of Resources Without Limits or Throttling?

Upgrade org.keycloak:keycloak-services to version 26.0.11, 26.1.5 or higher.

[23.0.0,26.0.11)[26.1.0,26.1.5)

Incorrect User Management

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Incorrect User Management in oidc/OrganizationMembershipMapper.java, which relies on matching the domain of a user's email address to map them to an organization. A user can make an unauthorized token claim including association with an organization that they are not actually mapped to. If self-registration is enabled and unrestricted, this is easier to exploit.

How to fix Incorrect User Management?

Upgrade org.keycloak:keycloak-services to version 26.1.3 or higher.

[,26.1.3)

Exposure of Sensitive Information Through Environmental Variables

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Exposure of Sensitive Information Through Environmental Variables through user-configurable URLs.

Exploiting this vulnerability is possible with the configuration of backchannel logout URLs or admin URLs, when including placeholders like ${env.VARNAME} or ${PROPNAME}, which are replaced with actual values during URL processing. An attacker can access sensitive server environment variables and system properties.

How to fix Exposure of Sensitive Information Through Environmental Variables?

Upgrade org.keycloak:keycloak-services to version 26.0.8 or higher.

[,26.0.8)

Denial of Service (DoS)

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Denial of Service (DoS) by modification of security headers and inserting newlines. An attacker can cause the server to process a terminated request, leading to service failure.

Note: This is only exploitable if the attacker can change realm settings.

How to fix Denial of Service (DoS)?

Upgrade org.keycloak:keycloak-services to version 26.0.8 or higher.

[,26.0.8)

org.keycloak:keycloak-services@26.0.6 vulnerabilities

latest version

first published

latest version published

licenses detected

package registry

Direct Vulnerabilities

Fix vulnerabilities automatically