A security flaw in the IdentityBrokerService.performLogin endpoint of Keycloak allows authentication to proceed using an Identity Provider (IdP) even after it has been disabled by an administrator. An attacker who knows the IdP alias can reuse a previously generated login request to bypass the administrative restriction. This undermines access control enforcement and may allow unauthorized authentication through a disabled external provider.
Attack Parameters
Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Privileges Required
None
No privileges needed
User Interaction
Required
User action required
Impact Assessment
Confidentiality
High
Complete data leak
Integrity
High
Complete data modification
Availability
None
No disruption
CVSS Vector v3.1
Weakness Type (CWE)
Vulnerable Products 6
| Configuration | From (including) | Up to (excluding) |
|---|---|---|
|
Redhat Build_Of_Keycloak
cpe:2.3:a:redhat:build_of_keycloak:-:*:*:*:text-only:*:*:*
|
— | — |
|
Redhat Build_Of_Keycloak
cpe:2.3:a:redhat:build_of_keycloak:26.4:*:*:*:*:*:*:*
|
— | — |
|
Redhat Build_Of_Keycloak
cpe:2.3:a:redhat:build_of_keycloak:26.4.10:*:*:*:*:*:*:*
|
— | — |
|
Redhat Jboss_Enterprise_Application_Platform
cpe:2.3:a:redhat:jboss_enterprise_application_platform:8.0:*:*:*:*:*:*:*
|
— | — |
|
Redhat Jboss_Enterprise_Application_Platform_Expansion_Pack
cpe:2.3:a:redhat:jboss_enterprise_application_platform_expansion_pack:-:*:*:*:*:*:*:*
|
— | — |
|
Redhat Single_Sign-On
cpe:2.3:a:redhat:single_sign-on:7.0:*:*:*:*:*:*:*
|
— | — |