CRITICAL 9.8
GHSA-75p6-52g3-rqc8
Keycloak vulnerable to privilege escalation on Token Exchange feature
Details
A privilege escalation flaw was found in the token exchange feature of keycloak. Missing authorization allows a client application holding a valid access token to exchange tokens for any target client by passing the client_id of the target. This could allow a client to gain unauthorized access to additional services.
Are you affected?
Enter the version of the package you're using.
Affected packages
Maven / org.keycloak:keycloak-services
Introduced in:
0 Fixed in: 18.0.0 Fix
# pom.xml: bump <version>18.0.0</version> for org.keycloak:keycloak-services