keycloak-services is vulnerable to User Impersonation. The vulnerability is due to the OpenID Connect user authentication because the session UUID is not properly bound to the user session, allowing an attacker to obtain a certain piece of information from a user request in the same realm and generate new session tokens.