A flaw was found in Keycloak
A vulnerability in Keycloak allows authenticated users to bypass WebAuthn policies by manipulating JavaScript, potentially weakening the system's security posture. This occurs due to a lack of server-side validation of credential parameters. As a result, non-compliant authentication methods may be allowed.
A flaw was found in Keycloak. An authenticated user can bypass configured WebAuthn policies during credential registration by manipulating client-side JavaScript. This occurs because the server-side processAction() fails to validate that the newly created credential's parameters, such as public key algorithms, match the realm's configured WebAuthn policies. This could lead to the creation of credentials that do not adhere to administrative security requirements, potentially weakening the overall security posture of the system by allowing non-compliant authentication methods.
Administrators and users of Keycloak are at risk of weakened security posture due to potential bypass of WebAuthn policies.
Monitor & Review
Low severity — keep this CVE on your radar and patch during routine maintenance.
What should I do?
Published
CVE disclosed publicly
Last Modified
Most recent update
Indexed to CVEInsight
Added to this platform
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
0
Affected Products
2
References
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Exploitability
Impact