Dasniko

**Name of the Vulnerable Software and Affected Versions** Keycloak (affected versions not specified) **Description** The issue is related to the transmission of data in plain text, allowing a remote attacker to gain access to user credentials. When a user registers through the registration flow, the `password` and `password-confirm` fields from the form are stored as regular user attributes. All users and clients with proper rights and roles can read these attributes, enabling a malicious user with minimal access to retrieve users' passwords in clear text. This jeopardizes the environment. **Recommendations** For all affected versions, disable self-registration for users in all realms until a patch is available. As a temporary workaround, consider restricting access to user attributes to minimize the risk of exploitation. Avoid using the `password` and `password-confirm` fields in the registration flow until the issue is resolved.