CVE-2020-27826
Authentication Bypass in keycloak
8.8
HIGH
CVSS 3.1
EPSS 0.17%
Description
A flaw was found in Keycloak before version 12.0.0 where it is possible to update the user's metadata attributes using Account REST API. This flaw allows an attacker to change its own NameID attribute to impersonate the admin user for any particular application.
How to fix CVE-2020-27826
To remediate CVE-2020-27826, upgrade the affected package to a fixed version below.
- —upgrade to 12.0.0 or later
Is CVE-2020-27826 being exploited?
Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 12.0.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.8 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |