Keycloak Improper Access Control Vulnerability in Account API Feature

A vulnerability exists in Keycloak when the server is started with the `--features-disabled=account,account-api` option. In this configuration, the Account REST API is only partially disabled. Five endpoints under `/account/v1alpha1` remain fully functional, allowing both read and write operations. This issue arises because these endpoints do not have the `checkAccountApiEnabled()` gate, which properly restricts access to four other endpoints in the same service class. Users must have the appropriate permissions to use the API.

Impact

This vulnerability allows authenticated users to bypass the intended disablement of the account and account-api features, enabling unauthorized read and write operations on specific account endpoints.

Remediation

To mitigate this vulnerability, restrict network access to the Keycloak server's administration and API endpoints to trusted networks or hosts. This will limit the ability of unauthorized users to interact with the server and potentially exploit this access control vulnerability. If the Keycloak service is reloaded or restarted, ensure that firewall rules or network access controls remain in effect.