Source: https://issues.redhat.com/browse/RHBK-4068

Security Tracking Issue

Flaw:

Keycloak keycloak-services: Business logic flaw allows unauthorized token issuance for disabled users

A business logic vulnerability exists in the Token Exchange implementation within the keycloak-services component. When a privileged client invokes the token exchange flow, Keycloak correctly validates the client but fails to validate whether the target “requested_subject” user is enabled. This omission allows issuance of access and refresh tokens for users whose accounts have been explicitly disabled. An internal client with the impersonation permission can therefore resurrect “zombie accounts,” obtaining tokens for former employees or banned users despite account deactivation. This flaw enables unauthorized use of previously revoked privileges and relies solely on the presence of an internal high-privileged client, requiring no user interaction or direct authentication by the disabled user.

The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams

Tracker accuracy feedback form: https://docs.google.com/forms/d/e/1FAIpQLSfa6zTaEGohRdiIqGVAvWTSAL0kpO_DkkEICuIHzQHFwmKswg/viewform

---
*This issue was originally tracked in the private repository as #296. Migrated via lift-embargo process.*