New: Corgea AI Pentesting — autonomous penetration testing in hours, not weeks
MEDIUM 6.5 Maven

Keycloak services allows the issuance of access and refresh tokens for disabled users

GHSA-wv3h-x6c4-r867 · CVE-2025-14559

Published · Modified

Description

A flaw was found in the keycloak-services component of Keycloak. This vulnerability allows the issuance of access and refresh tokens for disabled users, leading to unauthorized use of previously revoked privileges, via a business logic vulnerability in the Token Exchange implementation when a privileged client invokes the token exchange flow.

Ready to move

Start Securing

Free, no credit card | First findings in minutes