Improper Authorization in Keycloak

GHSA-83x4-9cwr-5487 · CVE-2021-4133

Published Jan 6, 2022 · Modified Mar 13, 2026

Description

A incorrect authorization flaw was found in Keycloak 12.0.0, the flaw allows an attacker with any existing user account to create new default user accounts via the administrative REST API even where new user registration is disabled.

References

WEB https://github.com/keycloak/keycloak/security/advisories/GHSA-83x4-9cwr-5487
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2021-4133
WEB https://github.com/keycloak/keycloak/issues/9247
WEB https://bugzilla.redhat.com/show_bug.cgi?id=2033602
PACKAGE https://github.com/keycloak/keycloak
WEB https://www.oracle.com/security-alerts/cpuapr2022.html

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes