6.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-6787

GHSA ID

GHSA-c9h6-v78w-52wj

EPSS Score

0.61307%

CWE

CWE-287

Published

4/17/2024

Updated

3/14/2025

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-6787

CVE-2023-6787: Keycloak vulnerable to session hijacking via re-authentication

A flaw was found in Keycloak. An active keycloak session can be hijacked by initiating a new authentication (having the query parameter prompt=login) and forcing the user to enter his credentials once again. If the user cancels this re-authentication by clicking Restart login, the account takeover could take place as the new session, with a different SUB, will have the same SID as the previous session.

(GitHub Advisory)

6.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-6787

GHSA ID

GHSA-c9h6-v78w-52wj

EPSS Score

0.61307%

CWE

CWE-287

Published

4/17/2024

Updated

3/14/2025

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.keycloak:keycloak-services	maven	< 22.0.10	22.0.10
org.keycloak:keycloak-services	maven	>= 23.0.0, < 24.0.3	24.0.3

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper session management during re-authentication flows. Keycloak's authorization endpoint handles 'prompt=login' requests but doesn't properly reset session identifiers when users cancel re-authentication. AuthenticationManager's cookie handling retains the same SID across sessions when re-auth is interrupted, violating session isolation. These functions directly manage session creation/authentication state and align with the described SID reuse behavior. The CWEs (287/384/613) all point to authentication/session management flaws in these core authentication flow components.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* *l*w w*s *oun* in K*y*lo*k. *n **tiv* k*y*lo*k s*ssion **n ** *ij**k** *y initi*tin* * n*w *ut**nti**tion (**vin* t** qu*ry p*r*m*t*r prompt=lo*in) *n* *or*in* t** us*r to *nt*r *is *r***nti*ls on** ***in. I* t** us*r **n**ls t*is r*-*ut**nti**tion

Reasoning

T** vuln*r**ility st*ms *rom improp*r s*ssion m*n***m*nt *urin* r*-*ut**nti**tion *lows. K*y*lo*k's *ut*oriz*tion *n*point **n*l*s 'prompt=lo*in' r*qu*sts *ut *o*sn't prop*rly r*s*t s*ssion i**nti*i*rs w**n us*rs **n**l r*-*ut**nti**tion. `*ut**nti**

6.5

Basic Information

Concerned about an active attack path?

CVE-2023-6787: Keycloak vulnerable to session hijacking via re-authentication

6.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI