Keycloak Denial of Service vulnerability

GHSA-w97f-w3hq-36g2 · CVE-2023-6841

Published Sep 10, 2024 · Modified Feb 4, 2026

Description

A denial of service vulnerability was found in keycloak where the amount of attributes per object is not limited, an attacker by sending repeated HTTP requests could cause a resource exhaustion when the application send back rows with long attribute values. The issue is fixed in Keycloak 24 with the introduction of the User Profile feature.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2023-6841
WEB https://github.com/keycloak/keycloak/issues/32837
WEB https://access.redhat.com/security/cve/CVE-2023-6841
WEB https://bugzilla.redhat.com/show_bug.cgi?id=2254714
PACKAGE https://github.com/keycloak/keycloak
WEB https://github.com/keycloak/keycloak/releases/tag/24.0.0

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes