Keycloak, an open-source identity and access management solution, has been found to have several security issues, including OTP bypass vulnerabilities, unauthorized access to certain administrative functionalities, and race conditions in the anti-brute-force mechanism. These issues allow attackers to bypass multi-factor authentication, gain unauthorized access to privileged operations, and perform excessive login attempts. Communication with security teams revealed delayed fixes and inadequate advisories, highlighting a need for more timely and transparent responses to such critical issues.
Table of contents
OTP bypassMultiple security issues in authentication and authorizationMultiple race conditions in anti-brute force mechanismSome final considerationsSort: