-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability is a Denial of Service (DoS) vector in Keycloak's default configuration, stemming from the underlying Java Development Kit (JDK) allowing client-initiated renegotiation in TLS 1.2. An attacker can repeatedly send renegotiation requests, which are computationally expensive, leading to CPU exhaustion and service unavailability. The security patch addresses this by modifying the startup scripts (kc.sh and kc.bat) to include the Java system property -Djdk.tls.rejectClientInitiatedRenegotiation=true. This property instructs the JDK to reject such requests. As the vulnerability lies in the TLS protocol configuration at the JVM level and not within a specific application function, no vulnerable functions within the Keycloak codebase can be identified from the patch. The entire service is susceptible due to the environment's configuration. During an exploit, profiling would show high CPU usage in the JVM's internal TLS/SSL handling threads, not in specific Keycloak application logic.
JavaJava| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| org.keycloak:keycloak-quarkus-dist | maven | < 26.0.16 | 26.0.16 |
| org.keycloak:keycloak-quarkus-dist | maven | >= 26.1.0, < 26.2.10 | 26.2.10 |
| org.keycloak:keycloak-quarkus-dist |
| maven |
| >= 26.3.0, < 26.4.1 |
| 26.4.1 |
Ongoing coverage of React2Shell