Evan Hendra

**Name of the Vulnerable Software and Affected Versions** Keycloak (affected versions not specified) **Description** An authenticated user with existing organization membership can exploit a flaw by accessing user-facing APIs, such as the account API, or by requesting an OpenID Connect (OIDC) token with the `organization` scope. This results in the disclosure of organization metadata in tokens, even if an administrator has explicitly disabled the Organizations feature. This leak may lead to incorrect authorization decisions by resource servers. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Keycloak (affected versions not specified) **Description** A flaw exists in the `org.keycloak.protocol.oidc` component of Keycloak's Client Policies. When specific condition providers—`client-type`, `client-roles`, `client-attributes`, or `client-scopes`—are used to enforce security restrictions, the `reject-ropc-grant` executor is silently bypassed. This allows an unauthenticated remote attacker to obtain tokens using a Resource Owner Password Credentials (ROPC) grant, which is a flow where the user provides their credentials directly to the application to receive an access token, even if a policy is configured to block it. This bypass can result in unauthorized access and information disclosure. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Keycloak (affected versions not specified) **Description** A security control intended to disable the implicit flow in OpenID Connect (OIDC) clients can be bypassed. A low-privilege user with knowledge of user credentials and client ID can manipulate client data during a session restart to obtain an unauthorized access token. This process may lead to the exposure of access tokens in server logs, proxy logs, and HTTP Referrer headers, causing sensitive information disclosure. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Keycloak (affected versions not specified) **Description** When the software is started with the `--features-disabled=account,account-api` flag, the Account REST API is only partially disabled. Five endpoints under the versioned path "/account/v1alpha1" remain fully functional for both read and write operations. This occurs because these endpoints lack the `checkAccountApiEnabled()` function gate that is used to block other endpoints within the same REST service class. Access to these endpoints still requires the user to have the necessary permissions to use the API. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.