Pegasusmkd

**Name of the Vulnerable Software and Affected Versions** Keycloak (affected versions not specified) **Description** An authenticated user with low privileges can achieve privilege escalation by sending an oversized JSON Web Token (JWT), which is a compact, URL-safe means of representing claims to be transferred between two parties, to the 'TokenEndpoint'. When the `subject token` exceeds 4000 characters, the system silently drops it and falls back to client credentials, granting the user the permissions of the client's service account. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.