Moderate severityNVD Advisory· Published Aug 23, 2022· Updated Jun 30, 2025
CVE-2020-35509
CVE-2020-35509
Description
A flaw was found in keycloak affecting versions 11.0.3 and 12.0.0. An expired certificate would be accepted by the direct-grant authenticator because of missing time stamp validations. The highest threat from this vulnerability is to data confidentiality and integrity.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.keycloak:keycloak-coreMaven | < 14.0.0 | 14.0.0 |
Affected products
1Patches
1478319348bdfKEYCLOAK-16450 X509 Direct Grant Auth does not verify certificate timestamp validity
2 files changed · +44 −1
services/src/main/java/org/keycloak/authentication/authenticators/x509/ValidateX509CertificateUsername.java+2 −1 modified@@ -75,7 +75,8 @@ public void authenticate(AuthenticationFlowContext context) { CertificateValidator validator = builder.build(certs); validator.checkRevocationStatus() .validateKeyUsage() - .validateExtendedKeyUsage(); + .validateExtendedKeyUsage() + .validateTimestamps(); } catch(Exception e) { logger.error(e.getMessage(), e); // TODO use specific locale to load error messages
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/x509/X509DirectGrantTest.java+42 −0 modified@@ -244,6 +244,48 @@ public void loginCertificateRevoked() throws Exception { } + @Test + public void loginCertificateNotExpired() throws Exception { + X509AuthenticatorConfigModel config = + new X509AuthenticatorConfigModel() + .setCertValidationEnabled(true) + .setConfirmationPageAllowed(true) + .setMappingSourceType(SUBJECTDN_EMAIL) + .setUserIdentityMapperType(USERNAME_EMAIL); + AuthenticatorConfigRepresentation cfg = newConfig("x509-directgrant-config", config.getConfig()); + String cfgId = createConfig(directGrantExecution.getId(), cfg); + Assert.assertNotNull(cfgId); + + oauth.clientId("resource-owner"); + OAuthClient.AccessTokenResponse response = oauth.doGrantAccessTokenRequest("secret", "", "", null); + + assertEquals(200, response.getStatusCode()); + } + + @Test + public void loginCertificateExpired() throws Exception { + X509AuthenticatorConfigModel config = + new X509AuthenticatorConfigModel() + .setCertValidationEnabled(true) + .setConfirmationPageAllowed(true) + .setMappingSourceType(SUBJECTDN_EMAIL) + .setUserIdentityMapperType(USERNAME_EMAIL); + AuthenticatorConfigRepresentation cfg = newConfig("x509-directgrant-config", config.getConfig()); + String cfgId = createConfig(directGrantExecution.getId(), cfg); + Assert.assertNotNull(cfgId); + + setTimeOffset(50 * 365 * 24 * 60 * 60); + + oauth.clientId("resource-owner"); + OAuthClient.AccessTokenResponse response = oauth.doGrantAccessTokenRequest("secret", "", "", null); + + setTimeOffset(0); + + assertEquals(401, response.getStatusCode()); + assertEquals("invalid_request", response.getError()); + Assert.assertThat(response.getErrorDescription(), containsString("has expired on:")); + } + private void loginForceTemporaryAccountLock() throws Exception { X509AuthenticatorConfigModel config = new X509AuthenticatorConfigModel() .setMappingSourceType(ISSUERDN)
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- github.com/advisories/GHSA-rpj2-w6fr-79hcghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-35509ghsaADVISORY
- access.redhat.com/security/cve/cve-2020-35509ghsax_refsource_MISCWEB
- bugzilla.redhat.com/show_bug.cgighsaWEB
- github.com/keycloak/keycloak/blob/4f330f4a57cbfcf6202b60546518261c66e59a35/services/src/main/java/org/keycloak/authentication/authenticators/x509/ValidateX509CertificateUsername.javaghsaWEB
- github.com/keycloak/keycloak/commit/478319348bdfdb9b6d39122f41edf2af79f679bbghsaWEB
- github.com/keycloak/keycloak/pull/6330ghsaWEB
- github.com/keycloak/keycloak/pull/8067ghsaWEB
News mentions
0No linked articles in our index yet.