Description
A flaw was found in Keycloak before version 12.0.0 where it is possible to update the user's metadata attributes using Account REST API. This flaw allows an attacker to change its own NameID attribute to impersonate the admin user for any particular application.
References (1)
Core 1
Core References
Issue Tracking, Vendor Advisory x_refsource_misc
https://bugzilla.redhat.com/show_bug.cgi?id=1905089
Scores
CVSS v3
4.2
EPSS
0.0057
EPSS Percentile
42.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
Details
CWE
CWE-250
Status
published
Products (5)
org.keycloak/keycloak-core
0 - 12.0.0Maven
redhat/keycloak
< 12.0.0
redhat/single_sign-on
redhat/single_sign-on
7.4
redhat/single_sign-on
7.4.4
Published
May 28, 2021
Tracked Since
Feb 18, 2026