A flaw was found in keycloak versions prior to 12.0.0 where it is possible to update the user's meta-data attributes using Account REST API. It is now possible for any evil user to change its own NameID attribute to impersonate the admin user for any particular application.
A flaw was found in keycloak versions prior to 12.0.0 where it is possible to update the user's meta-data attributes using Account REST API. It is now possible for any evil user to change its own NameID attribute to impersonate the admin user for any particular application.
https://bugzilla.redhat.com/show_bug.cgi?id=1905089