Keycloak mTLS Authentication Bypass via Reverse Proxy TLS Termination

Vulnerability

Overview

A vulnerability in Keycloak affects deployments that enable mutual TLS (mTLS) authentication behind a reverse proxy that terminates TLS connections without pass-through. Under this configuration, the reverse proxy handles TLS decryption before forwarding requests to Keycloak, stripping the original client certificate context. This bug allows an attacker positioned on the local network to present arbitrary client certificates, effectively impersonating any user or client that relies on mTLS for authentication [1][2].

Attack

Vector and Exploitation

The attack requires only local network access to the reverse proxy, with no privileges required and no user interaction. The attack complexity is low, as the attacker can craft or reuse certificates to bypass the intended authentication mechanism. The scope of the vulnerability changes from the reverse proxy to the Keycloak backend, enabling unauthorized access to protected resources [2].

Impact

Successful exploitation leads to complete loss of confidentiality and integrity for resources protected by mTLS. An attacker can authenticate as any mTLS-enabled user or client, gaining unauthorized access to sensitive data, performing actions on behalf of legitimate identities, and potentially escalating privileges within the Keycloak realm [1][3].

Mitigation

As of the publication date, Keycloak has not released a patch specifically for this issue. Administrators are advised to configure their reverse proxies to use pass-through TLS termination (TCP-level proxying) when mTLS is required, ensuring the client certificate is preserved for Keycloak validation. Reviewing the official advisory and monitoring for updates is recommended [2][3].