Keycloak IDOR Vulnerability in Admin API Authorization Resource Management

Vulnerability

An IDOR (Insecure Direct Object Reference) vulnerability has been identified in Keycloak's admin API endpoints for managing authorization resources. This issue, present in the ResourceSetService and PermissionTicketService, arises because the system authorizes requests based on the resourceServer (client) ID, while the database operations for finding and deleting resources only consider the resourceId. As a result, an authenticated attacker with fine-grained admin rights for one client can manipulate resources of another client within the same realm by using a valid resource ID.

Impact

Exploitation of this vulnerability allows an authenticated attacker to delete or update authorization resources belonging to different clients within the same realm, potentially disrupting access control management.

Added: Dec 16, 2025, 5:20 AM

Updated: Dec 16, 2025, 5:20 AM

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

0.6

exploitability

4.5

remediation

0.0

relevance

1.4

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

0.6

exploitability

4.5

remediation

0.0

relevance

1.4

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Keycloak IDOR Vulnerability in Admin API Authorization Resource Management

Vulnerability

Impact

Affected Products

Red Hat Keycloak

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating