Keycloak does not correctly validate its client step-up authentication. A password-authed attacker could use this flaw to register a false second auth factor, alongside the existing one, to a targeted account. The second factor then permits step-up authentication.

Affected Packages

Maven org.keycloak:keycloak-services

Affected versions: 0 (fixed in 22.0.10)

Maven org.keycloak:keycloak-services

Affected versions: 23.0.0 (fixed in 24.0.3)

Related CVEs

CVE-2023-3597

Key Information

GHSA ID

GHSA-4f53-xh3v-g8x4

Published

April 17, 2024 5:31 PM

Last Modified

August 7, 2024 12:31 PM

CVSS Score

5.0 /10

Primary Ecosystem

Maven

Primary Package

org.keycloak:keycloak-services

GitHub Reviewed

✓ Yes

Dataset

Last updated: July 30, 2025 6:36 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.