A flaw was found in Keycloak. The Keycloak guides recommend to not expose /admin path to the outside in case the installation is using a proxy. The issue occurs at least via ha-proxy, as it can be tricked to using relative/non-normalized paths to access the /admin application path relative to /realms which is expected to be exposed.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| org.keycloak:keycloak-quarkus-server(Maven) | 0 | 26.4.4 | N/A |
CVSS Metrics
