CVE-2023-3597 in Keycloak
Summary
by MITRE • 04/25/2024
A flaw was found in Keycloak, where it does not correctly validate its client step-up authentication in org.keycloak.authentication. This flaw allows a remote user authenticated with a password to register a false second authentication factor along with an existing one and bypass authentication.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 11/11/2025
The vulnerability identified as CVE-2023-3597 represents a critical authentication bypass flaw within the Keycloak identity and access management platform. This issue resides in the org.keycloak.authentication package where the system fails to properly validate client step-up authentication mechanisms. The flaw specifically affects the validation process that should ensure additional authentication factors are legitimately registered and verified before allowing access to protected resources. Keycloak serves as a widely deployed identity provider in enterprise environments, making this vulnerability particularly concerning for organizations relying on its authentication services.
The technical implementation of this vulnerability stems from insufficient validation of second authentication factors during the step-up authentication process. When a user authenticates with a password and subsequently attempts to register additional authentication factors, the system does not properly verify that these factors are genuinely associated with the authenticated user. This validation gap allows malicious actors to register false authentication factors that appear legitimate to the system, effectively creating a backdoor for unauthorized access. The flaw operates at the authentication flow level where the system should enforce strict validation of all authentication factors before granting access privileges.
From an operational perspective, this vulnerability enables remote attackers to bypass multi-factor authentication requirements entirely. An authenticated user with only password credentials can exploit this flaw to register false second factors and subsequently access protected resources without proper authentication verification. The impact extends beyond individual account compromise as it undermines the entire authentication framework's integrity. Organizations using Keycloak for critical applications, including financial services, healthcare systems, and enterprise resource planning platforms, face significant risk of unauthorized access to sensitive data and systems. The vulnerability's remote exploitability means attackers do not require physical access or insider knowledge to leverage this flaw effectively.
Security professionals should consider this vulnerability in relation to CWE-287 which addresses improper authentication and CWE-305 which deals with authentication bypass mechanisms. The flaw aligns with ATT&CK technique T1078 which covers valid accounts and T1566 which involves credential harvesting through various attack vectors. Organizations should immediately implement mitigations including updating to patched versions of Keycloak, implementing additional monitoring for authentication factor registration activities, and reviewing existing authentication policies to ensure proper validation of all authentication factors. The vulnerability demonstrates the critical importance of robust authentication validation mechanisms and proper input sanitization in identity management systems to prevent such bypass scenarios.