High severityNVD Advisory· Published Dec 14, 2023· Updated Nov 11, 2025
Keycloak: offline session token dos
CVE-2023-6563
Description
An unconstrained memory consumption vulnerability was discovered in Keycloak. It can be triggered in environments which have millions of offline tokens (> 500,000 users with each having at least 2 saved sessions). If an attacker creates two or more user sessions and then open the "consents" tab of the admin User Interface, the UI attempts to load a huge number of offline client sessions leading to excessive memory and CPU consumption which could potentially crash the entire system.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.keycloak:keycloak-model-jpaMaven | < 21.0.0 | 21.0.0 |
Affected products
7- cpe:/a:redhat:build_keycloak:
cpe:/a:redhat:red_hat_single_sign_on:7.6.6+ 3 more
- cpe:/a:redhat:red_hat_single_sign_on:7.6.6
- cpe:/a:redhat:red_hat_single_sign_on:7.6::el7range: 0:18.0.11-2.redhat_00003.1.el7sso
- cpe:/a:redhat:red_hat_single_sign_on:7.6::el8range: 0:18.0.11-2.redhat_00003.1.el8sso
- cpe:/a:redhat:red_hat_single_sign_on:7.6::el9range: 0:18.0.11-2.redhat_00003.1.el9sso
- Red Hat/RHEL-8 based Middleware Containersv5cpe:/a:redhat:rhosemc:1.0::el8Range: 7.6.6-2
Patches
Vulnerability mechanics
References
12- access.redhat.com/errata/RHSA-2023:7854ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2023:7855ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2023:7856ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2023:7857ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2023:7858ghsavendor-advisoryx_refsource_REDHATWEB
- github.com/advisories/GHSA-54f3-c6hg-865hghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-6563ghsaADVISORY
- access.redhat.com/security/cve/CVE-2023-6563ghsavdb-entryx_refsource_REDHATWEB
- bugzilla.redhat.com/show_bug.cgighsaissue-trackingx_refsource_REDHATWEB
- github.com/keycloak/keycloak/commit/556146f961f7c8ddf64de15e2117a58d045f72b5ghsaWEB
- github.com/keycloak/keycloak/issues/13340ghsaWEB
- github.com/keycloak/keycloak/pull/15463ghsaWEB
News mentions
0No linked articles in our index yet.