CVE-2021-4133

HIGH

Keycloak 12.0.0-15.1.0 - Incorrect Authorization via Administrative REST API

Title source: llm

Description

A flaw was found in Keycloak in versions from 12.0.0 and before 15.1.1 which allows an attacker with any existing user account to create new default user accounts via the administrative REST API even when new user registration is disabled.

References (4)

Core 4

Core References

Issue Tracking, Third Party Advisory x_refsource_misc

https://bugzilla.redhat.com/show_bug.cgi?id=2033602

Third Party Advisory x_refsource_misc

https://github.com/keycloak/keycloak/issues/9247

Third Party Advisory x_refsource_misc

https://github.com/keycloak/keycloak/security/advisories/GHSA-83x4-9cwr-5487

Not Applicable x_refsource_misc

https://www.oracle.com/security-alerts/cpuapr2022.html

Scores

CVSS v3 8.8

EPSS 0.0043

EPSS Percentile 62.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-863

Status published

Products (2)

org.keycloak/keycloak-services 0 - 15.1.1Maven

redhat/keycloak 12.0.0 - 15.1.1

Published Jan 25, 2022

Tracked Since Feb 18, 2026