CVE-2024-3656 — Keycloak's admin API allows low privilege users to use administrative functions

Description

Users with low privileges (just plain users in the realm) are able to utilize administrative functionalities within Keycloak admin interface. This issue presents a significant security risk as it allows unauthorized users to perform actions reserved for administrators, potentially leading to data breaches or system compromise. **Acknowledgements:** Special thanks to Maurizio Agazzini for reporting this issue and helping us improve our project.

How to fix CVE-2024-3656

To remediate CVE-2024-3656, upgrade the affected package to a fixed version below.

—upgrade to 24.0.5 or later

Is CVE-2024-3656 being exploited?

Likely — EPSS is 89.7%, placing CVE-2024-3656 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.

Affected packages (1)

from 0, < 24.0.5

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.1	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

References (12)

ADVISORYgithub.com/advisories/GHSA-2cww-fgmg-4jqc
ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-3656
PATCHgithub.com/keycloak/keycloak
WEBaccess.redhat.com/errata/RHSA-2024:3572
WEBaccess.redhat.com