Keycloak: amount of attributes per object is not limited and it may lead to dos
Description
A denial of service vulnerability was found in keycloak where the amount of attributes per object is not limited,an attacker by sending repeated HTTP requests could cause a resource exhaustion when the application send back rows with long attribute values.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A denial of service vulnerability in Keycloak due to unlimited attributes per object allows resource exhaustion via repeated HTTP requests with long attribute values.
Vulnerability
Overview CVE-2023-6841 is a denial of service (DoS) vulnerability in Keycloak caused by the absence of a limit on the number of attributes per object. When an application returns rows with long attribute values, repeated HTTP requests can lead to resource exhaustion [1][2][3].
Exploitation
An attacker can exploit this by sending multiple HTTP requests that trigger the retrieval of objects with many or long attributes. No special privileges are required; the attacker only needs network access to the Keycloak instance [2].
Impact
Successful exploitation results in resource exhaustion, potentially causing the Keycloak service to become unresponsive or crash, leading to denial of service for legitimate users [3].
Mitigation
The vulnerability is addressed in Keycloak version 24.0.0, which introduces fine-grained control over user attributes and limits on attribute counts [1]. Users should upgrade to this version or later to mitigate the risk [2].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.keycloak:keycloak-coreMaven | < 24.0.0 | 24.0.0 |
Affected products
20- Range: 1.0-alpha-1, 1.0-alpha-1-12062013, 1.0-alpha-2, …
- osv-coords19 versionspkg:apk/chainguard/keycloakpkg:apk/chainguard/keycloak-bitnami-compatpkg:apk/chainguard/keycloak-bitnami-fipspkg:apk/chainguard/keycloak-compatpkg:apk/chainguard/keycloak-fipspkg:apk/chainguard/keycloak-fips-bitnami-compatpkg:apk/chainguard/keycloak-fips-policy-140-2pkg:apk/chainguard/keycloak-fips-policy-140-3pkg:apk/chainguard/keycloak-iamguarded-compatpkg:apk/chainguard/keycloak-iamguarded-fipspkg:apk/chainguard/keycloak-operatorpkg:apk/chainguard/keycloak-operator-compatpkg:apk/wolfi/keycloakpkg:apk/wolfi/keycloak-bitnami-compatpkg:apk/wolfi/keycloak-compatpkg:apk/wolfi/keycloak-iamguarded-compatpkg:apk/wolfi/keycloak-operatorpkg:apk/wolfi/keycloak-operator-compatpkg:maven/org.keycloak/keycloak-core
< 26.1.4-r0+ 18 more
- (no CPE)range: < 26.1.4-r0
- (no CPE)range: < 26.1.4-r0
- (no CPE)range: < 26.1.4-r0
- (no CPE)range: < 26.1.4-r0
- (no CPE)range: < 26.1.4-r0
- (no CPE)range: < 26.1.4-r0
- (no CPE)range: < 26.1.4-r0
- (no CPE)range: < 26.1.4-r0
- (no CPE)range: < 26.1.4-r0
- (no CPE)range: < 26.1.4-r0
- (no CPE)range: < 26.1.4-r0
- (no CPE)range: < 26.1.4-r0
- (no CPE)range: < 26.1.4-r0
- (no CPE)range: < 26.1.4-r0
- (no CPE)range: < 26.1.4-r0
- (no CPE)range: < 26.1.4-r0
- (no CPE)range: < 26.1.4-r0
- (no CPE)range: < 26.1.4-r0
- (no CPE)range: < 24.0.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- github.com/advisories/GHSA-w97f-w3hq-36g2ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-6841ghsaADVISORY
- access.redhat.com/security/cve/CVE-2023-6841ghsavdb-entryx_refsource_REDHATWEB
- bugzilla.redhat.com/show_bug.cgighsaissue-trackingx_refsource_REDHATWEB
- github.com/keycloak/keycloak/issues/32837ghsaWEB
- github.com/keycloak/keycloak/releases/tag/24.0.0ghsaWEB
News mentions
0No linked articles in our index yet.