keycloak-services is vulnerable to Authorization Bypass
46
Medium Risk
Keycloak's authorization services let a user holding a User-Managed Access permission ticket for one resource use a specific permission request prefix to bypass per-resource checks. This grants access to all resources of the same type on the resource server, even without a ticket for them. It applies to resource servers in PERMISSIVE enforcement mode with owner-managed typed resources that have no explicit type policy, allowing unauthorized disclosure or modification. The fix enforces per-resource authorization for these permission requests.
You are affected if you are using a version that falls within the vulnerable range and a resource server runs in PERMISSIVE policy enforcement mode with owner-managed typed resources.
keycloak-services is vulnerable to Authorization Bypass in versions 1.0.1.Final - 26.6.3.
Upgrade the org.keycloak:keycloak-services library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant