Intel

AIKIDO-2026-732363

keycloak-services is vulnerable to Insufficient Session Expiration

Insufficient Session ExpirationCVE-2026-9705 Published 3 days ago

65

Medium Risk

This Affects:

JAVAkeycloak-services
1.0.1.Final - 26.6.3
Fixed in 26.6.4
Are you affected? Scan for Free

TL;DR

Keycloak's client registration service continues to honor a previously issued registration access token after an administrator disables the client. A remote holder of that token can re-enable the disabled client and reset its secret. This lets the attacker restore and take over a client that was intentionally shut off, regaining privileged API access. The fix invalidates registration access token operations for disabled clients.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and dynamic client registration with registration access tokens is enabled.

Background info

keycloak-services is vulnerable to Insufficient Session Expiration in versions 1.0.1.Final - 26.6.3.

How to fix this

Upgrade the org.keycloak:keycloak-services library to the patch version.