Keycloak mTLS Authentication Bypass via Reverse Proxy TLS Termination
Package
Affected versions
< 24.0.9
>= 25.0.0, < 26.0.6
Patched versions
26.0.6
Description
Published to the GitHub Advisory Database
Nov 25, 2024
Reviewed
Nov 25, 2024
Last updated
Dec 23, 2024
A vulnerability was found in Keycloak. Deployments of Keycloak with a reverse proxy not using pass-through termination of TLS, with mTLS enabled, are affected. This issue may allow an attacker on the local network to authenticate as any user or client that leverages mTLS as the authentication mechanism.
References