Keycloak was found to not properly enforce token types when validating signatures locally. An authenticated attacker could use this flaw to exchange a logout token for an access token and possibly gain access to data outside of enforced permissions.
Vendor | Product | Version | CPE |
---|---|---|---|
org.keycloak | keycloak-services | * | cpe:2.3:a:org.keycloak:keycloak-services:*:*:*:*:*:*:*:* |