Session Fixation
org.keycloak:keycloak-services is vulnerable to Session Fixation. The vulnerability is due to the session ID and JSESSIONID cookie not being changed at login time, even when the turnOffChangeSessionIdOnLogin option is configured, allowing an attacker to hijack the session before authentication...