Impact
A flaw in Keycloak's client registration service allows an attacker who already holds a Registration Access Token to re‑enable a client that an administrator has deliberately disabled. The vulnerability bypasses the normal disabled‑client guard and permits the attacker to reset the client’s secret, granting unauthorized access to the client’s API and potentially compromising both confidentiality and integrity.
Affected Systems
Red Hat Build of Keycloak is affected. All releases that include the vulnerable client registration service are impacted; no specific version numbers are listed in the data.
Risk and Exploitability
The CVSS score of 6.5 indicates a medium severity risk. The EPSS score is unavailable, so the precise likelihood of exploitation remains unknown. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is remote; based on the description, it is inferred that an attacker only needs a valid Registration Access Token, which can be issued during dynamic client registration, to exploit this flaw from an external network once the token is in hand.
OpenCVE Enrichment