Keycloak vulnerable to user impersonation via stolen UUID code

GHSA-9g98-5mj6-f9mv · CVE-2023-0264

Published Mar 2, 2023 · Modified Feb 4, 2026

Description

Keycloak's OpenID Connect user authentication was found to incorrectly authenticate requests. An authenticated attacker who could also obtain a certain piece of info from a user request, from a victim within the same realm, could use that data to impersonate the victim and generate new session tokens.

References

WEB https://github.com/keycloak/keycloak/security/advisories/GHSA-9g98-5mj6-f9mv
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2023-0264
WEB https://github.com/keycloak/keycloak/commit/ec8109112e67208c13e13f6d1f8706a5a3ba8d4c
WEB https://access.redhat.com/security/cve/CVE-2023-0264
PACKAGE https://github.com/keycloak/keycloak

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes