CVE-2023-6927 in Keycloak
Summary
by MITRE • 12/19/2023
A flaw was found in Keycloak. This issue may allow an attacker to steal authorization codes or tokens from clients using a wildcard in the JARM response mode "form_post.jwt" which could be used to bypass the security patch implemented to address CVE-2023-6134.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 09/13/2025
The vulnerability identified as CVE-2023-6927 represents a critical security flaw in the Keycloak identity and access management platform that specifically targets the JARM response mode implementation. This issue affects the authorization code and token handling mechanisms within Keycloak's OAuth 2.0 and OpenID Connect implementations, creating a significant risk for organizations relying on this authentication framework. The vulnerability stems from improper validation of wildcard patterns in the JARM response mode, which is designed to provide enhanced security for token exchanges between identity providers and client applications. When clients utilize the "form_post.jwt" response mode with wildcard configurations, the system fails to properly validate the security boundaries, creating an exploitable condition that undermines the intended security controls.
The technical implementation flaw occurs within Keycloak's response mode handling logic where wildcard patterns are not adequately validated during the JARM response processing. This vulnerability specifically impacts the authorization code flow and token exchange mechanisms, allowing an attacker to potentially intercept and reuse authorization codes or access tokens. The flaw is particularly concerning because it directly undermines the security measures that were previously implemented to address CVE-2023-6134, which was a similar issue related to response mode handling. The vulnerability exists at the protocol level where the system fails to properly validate the response mode configuration, particularly when wildcard patterns are present in the JARM response handling. This creates an attack surface where malicious actors can exploit the relaxed validation rules to bypass the security controls that were specifically designed to prevent unauthorized access to sensitive authentication artifacts.
The operational impact of CVE-2023-6927 extends beyond simple privilege escalation to encompass full authentication bypass capabilities and potential credential theft across multiple client applications. Organizations using Keycloak with wildcard configurations in their JARM response modes face significant risk of unauthorized access to protected resources, as attackers can leverage this vulnerability to obtain valid authorization codes and tokens that can be used to impersonate legitimate users or access restricted systems. The vulnerability particularly affects environments where multiple clients are configured with wildcard patterns in their response mode configurations, creating a widespread risk across the entire authentication infrastructure. This issue represents a regression in security posture since it directly undermines the remediation efforts for CVE-2023-6134, effectively allowing attackers to bypass the security controls that were implemented to prevent similar exploitation patterns. The impact is amplified in complex enterprise environments where Keycloak serves as a central identity provider managing authentication for numerous applications and services.
The exploitation of this vulnerability aligns with attack patterns documented in the MITRE ATT&CK framework under the privilege escalation and credential access domains, specifically targeting the OAuth 2.0 and OpenID Connect protocol implementations. This vulnerability falls under CWE-284, which addresses improper access control in security frameworks, and CWE-347, which covers improper verification of cryptographic signatures. Organizations should implement immediate mitigations including disabling wildcard patterns in JARM response modes, updating to patched versions of Keycloak, and implementing additional monitoring for unauthorized token usage patterns. The recommended approach involves configuring strict response mode validation, implementing additional authentication controls, and conducting comprehensive security assessments of all Keycloak configurations that utilize wildcard patterns. Security teams should also consider implementing network-level monitoring to detect anomalous token exchange patterns that might indicate exploitation attempts. Additionally, organizations should review their existing security controls to ensure that the bypass of CVE-2023-6134 protections does not create additional attack vectors within their authentication infrastructure.