Tero Saarni

**Name of the Vulnerable Software and Affected Versions** Keycloak versions 7.x **Description** A vulnerability was found in Keycloak when configured with LDAP user federation and StartTLS is used instead of SSL/TLS from the LDAP server, allowing user authentication to succeed even with an invalid password. The issue is related to errors in the implementation of the authentication procedure. This could potentially allow a remote attacker to elevate their privileges. **Recommendations** For Keycloak version 7.x, consider disabling the use of StartTLS with LDAP user federation until a patch is available, and ensure that SSL/TLS is used instead. Restrict access to the LDAP server to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.