logo

Database

Authentication mechanism absence or evasion In org.keycloak:keycloak-services

Description

Keycloak services allows the issuance of access and refresh tokens for disabled users A flaw was found in the keycloak-services component of Keycloak. This vulnerability allows the issuance of access and refresh tokens for disabled users, leading to unauthorized use of previously revoked privileges, via a business logic vulnerability in the Token Exchange implementation when a privileged client invokes the token exchange flow.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2025-145592. NVD-2025-145593. OSV-2025-145594. GCVE-2025-145595. access.redhat.com6. access.redhat.com7. ACCESS-CVE-2025-14559

References

1. https://github.com/keycloak/keycloak/issues/456512. https://github.com/keycloak/keycloak/commit/2d0aa31c4830ebaad094c3762e78b884c141e6593. https://github.com/keycloak/keycloak/commit/d67349f3aa9fed5c61750619d0f9de6356aeaeff4. https://bugzilla.redhat.com/show_bug.cgi?id=24217115. https://github.com/keycloak/keycloak/releases/tag/26.5.2

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.