keycloak-services is vulnerable to Authentication Bypass
81
High Risk
keycloak-services validates JWT assertions in the JWT Authorization Grant flow and related JWT public-key client authenticators without restricting the signature to asymmetric algorithms. A client holding valid credentials can forge an assertion signed with a symmetric algorithm such as HS256, causing the server to verify the signature using known public key material as the HMAC secret. This algorithm confusion bypasses signature verification and lets the caller mint access tokens that impersonate any federated user linked to the affected identity provider. The fix rejects symmetric algorithms in the public-key JWT validators and only permits them for the dedicated client-secret-jwt authentication flow.
You are affected if you are using a version that falls within the vulnerable range and your realm has a JWT Authorization Grant or JWT-based federated identity provider configured.
keycloak-services is vulnerable to Authentication Bypass in versions 26.0.0 - 26.6.3.
Upgrade the org.keycloak:keycloak-services library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant