📄 Description (English)
A flaw was found in Keycloak. An authenticated client could exploit an Insecure Direct Object Reference (IDOR) vulnerability in the Authorization Services Protection API endpoint. By knowing or obtaining a resource's unique identifier (UUID) belonging to another Resource Server within the same realm, the client could bypass authorization checks. This allows the client to perform unauthorized GET, PUT, and DELETE operations on resources, leading to information disclosure and potential unauthorized modification or deletion of data.
🤖 AI Executive Summary
A critical IDOR vulnerability in Keycloak's Authorization Services Protection API allows authenticated clients to bypass authorization checks and access resources from other Resource Servers within the same realm using known UUIDs. This enables unauthorized read, modify, and delete operations on sensitive data. The vulnerability affects organizations using Keycloak for identity and access management, particularly those managing multi-tenant or multi-service environments.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: May 19, 2026 16:48
🇸🇦 Saudi Arabia Impact Assessment
This vulnerability poses significant risk to Saudi organizations using Keycloak for identity management, particularly: (1) Banking sector (SAMA-regulated institutions) managing customer data and authorization across multiple services; (2) Government agencies (NCA oversight) using Keycloak for inter-agency access control; (3) Healthcare providers managing patient records across multiple systems; (4) Energy sector (ARAMCO, utilities) managing critical infrastructure access; (5) Telecom operators (STC, Mobily) managing subscriber data and service access. The IDOR vulnerability could lead to unauthorized access to sensitive financial, personal, and operational data, violating SAMA CSF and NCA ECC requirements.
🏢 Affected Saudi Sectors
Banking and Financial Services
Government and Public Administration
Healthcare and Medical Services
Energy and Utilities
Telecommunications
E-commerce and Retail
Education
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
7.8
/ 10.0
🔧 Remediation Steps (English)
Immediate Actions:
1. Audit all Keycloak Authorization Services Protection API endpoints for unauthorized access attempts in logs
2. Review all Resource Server configurations and identify cross-realm resource sharing scenarios
3. Implement network-level access controls restricting Authorization Services API access to trusted clients only
4. Disable or restrict the Authorization Services Protection API if not actively used
Compensating Controls (until patch available):
1. Implement API gateway authentication and authorization layer with additional UUID validation
2. Add request logging and monitoring for all Authorization Services API calls with alerting on suspicious patterns
3. Implement rate limiting on Authorization Services endpoints
4. Enforce mutual TLS (mTLS) for all client-to-Keycloak communications
5. Segment Resource Servers by realm to prevent cross-realm access
Detection Rules:
1. Alert on Authorization Services API calls with UUIDs not matching the authenticated client's assigned resources
2. Monitor for PUT/DELETE operations on resources by clients without explicit resource ownership
3. Track failed authorization checks followed by successful operations on same resource
4. Log and alert on API calls accessing resources from different Resource Servers than client's primary assignment
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تدقيق جميع نقاط نهاية واجهة برمجة تطبيقات خدمات التفويض في Keycloak للكشف عن محاولات الوصول غير المصرح بها
2. مراجعة جميع تكوينات خادم الموارد وتحديد سيناريوهات مشاركة الموارد عبر المجالات
3. تطبيق عناصر التحكم في الوصول على مستوى الشبكة لتقييد وصول واجهة برمجة التطبيقات إلى العملاء الموثوقين فقط
4. تعطيل أو تقييد واجهة برمجة تطبيقات حماية خدمات التفويض إذا لم تكن قيد الاستخدام النشط
عناصر التحكم التعويضية (حتى توفر التصحيح):
1. تطبيق طبقة مصادقة وتفويض بوابة API إضافية مع التحقق من UUID
2. إضافة تسجيل المراقبة والمراقبة لجميع استدعاءات واجهة برمجة تطبيقات خدمات التفويض مع التنبيهات
3. تطبيق تحديد معدل على نقاط نهاية خدمات التفويض
4. فرض TLS المتبادل (mTLS) لجميع اتصالات العميل بـ Keycloak
5. تقسيم خوادم الموارد حسب المجال لمنع الوصول عبر المجالات
قواعد الكشف:
1. التنبيه على استدعاءات واجهة برمجة تطبيقات خدمات التفويض مع معرفات UUID لا تطابق موارد العميل المصرح بها
2. مراقبة عمليات PUT/DELETE على الموارد من قبل عملاء بدون ملكية صريحة للموارد
3. تتبع فحوصات التفويض الفاشلة متبوعة بعمليات ناجحة على نفس المورد
4. تسجيل والتنبيه على استدعاءات API التي تصل إلى موارد من خوادم موارد مختلفة
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
A.5.1.1 - Information security policies and procedures
A.6.1.1 - Access control policy
A.6.2.1 - User registration and access rights management
A.6.2.2 - Privileged access rights
A.8.2.1 - User endpoint devices
A.8.3.1 - Information and other assets associated with information processing facilities
🔵 SAMA CSF
ID.AC-1 - Identity and Access Management
ID.AC-2 - Access Control
PR.AC-1 - Processes and procedures for access authorization
PR.AC-3 - Access enforcement
DE.AE-1 - Audit logs
🟡 ISO 27001:2022
5.3 - Access control
6.2 - Information security roles and responsibilities
8.2 - Privileged access rights
8.3 - Information access restriction
8.4 - Access to source code
🟣 PCI DSS v4.0.1
Requirement 2 - Default security parameters
Requirement 6 - Secure development and vulnerability management
Requirement 7 - Restrict access to data by business need