Versions of keycloak-connect
prior to 4.4.0 are vulnerable to Forced Logout. The package fails to validate JWT signatures on the /k_logout
route, allowing attackers to logout users and craft malicious JWTs with NBF values that prevent user access indefinitely.
Upgrade to version 4.4.0 or later.