keycloak-services is vulnerable to Insufficient Session Expiration
65
Medium Risk
Keycloak's client registration service continues to honor a previously issued registration access token after an administrator disables the client. A remote holder of that token can re-enable the disabled client and reset its secret. This lets the attacker restore and take over a client that was intentionally shut off, regaining privileged API access. The fix invalidates registration access token operations for disabled clients.
You are affected if you are using a version that falls within the vulnerable range and dynamic client registration with registration access tokens is enabled.
keycloak-services is vulnerable to Insufficient Session Expiration in versions 1.0.1.Final - 26.6.3.
Upgrade the org.keycloak:keycloak-services library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant