Keycloak Organization Data Leak Vulnerability

A vulnerability exists in Keycloak that allows authenticated users with organization membership to access user-facing APIs, such as the account API or OpenID Connect (OIDC) tokens with the 'organization' scope. This exploitation can lead to unauthorized disclosure of organization metadata in tokens, even after an administrator has disabled the Organizations feature, potentially causing incorrect authorization decisions by resource servers.

Impact

Exploitation of this vulnerability could result in unauthorized access to organization membership data and the inclusion of sensitive organization claims in OIDC tokens, which resource servers might incorrectly use for authorization decisions.

Reproduction

To reproduce this vulnerability, first enable the Organizations feature on a Keycloak realm and create organization memberships for users. Then, as an administrator, disable the Organizations feature by setting 'organizationsEnabled' to false. Despite the feature being disabled, an authenticated user can still access the account API to retrieve organization membership data and request an OIDC token with the 'organization' scope, which will include the organization claim. This token can then be used in a resource server that relies on organization-based authorization, leading to incorrect access decisions.