Keycloak mTLS Authentication Bypass via Reverse Proxy TLS Termination

GHSA-93ww-43rr-79v3 · CVE-2024-10039

Published Nov 25, 2024 · Modified Feb 4, 2026

Description

A vulnerability was found in Keycloak. Deployments of Keycloak with a reverse proxy not using pass-through termination of TLS, with mTLS enabled, are affected. This issue may allow an attacker on the local network to authenticate as any user or client that leverages mTLS as the authentication mechanism.

References

WEB https://github.com/keycloak/keycloak/security/advisories/GHSA-93ww-43rr-79v3
WEB https://github.com/keycloak/keycloak/issues/35217
PACKAGE https://github.com/keycloak/keycloak

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes