Red Hat Keycloak Improper Authorization Vulnerability in Organization Mapper

An improper authorization vulnerability has been identified in the Red Hat build of Keycloak organization feature, specifically in version 26.0.10. This flaw allows for incorrect assignment of organizations to users based on matching usernames or email domains. The issue arises at the mapper level, causing tokens to misrepresent organizational claims. Applications that depend on these claims for authorization may mistakenly grant users access or privileges to organizations they do not actually belong to.

Impact

Exploitation of this vulnerability could lead to unauthorized access or privileges being granted to users within the Keycloak organization management system.

Reproduction

To reproduce this vulnerability, create a user account with a username or email that matches the domain pattern of an organization. Once the account is created, the organization will be incorrectly assigned to the user. This issue can be verified by checking the token claims, which will reflect the unauthorized organizational affiliation.

Remediation

Users can upgrade to the Red Hat build of Keycloak 26.0.10, which addresses this vulnerability. Instructions for applying this update are available on the Red Hat Customer Portal.