Skip to main content

Authentication Bypass by Spoofing


Severity High
Score 7.5/10


Keycloak Device Authorization Grant is vulnerable to Client Spoofing. Under certain pre-conditions the vulnerability allows an attacker to spoof parts of the device flow and use a "device_code" to retrieve an access token for other OAuth clients. This issue affects versions prior to 21.1.2.

  • LOW
  • HIGH
  • NONE
  • NONE
  • NONE
  • NONE

CWE-290 - Authentication Bypass by Spoofing

This attack-focused weakness is caused by improperly implemented authentication schemes that are subject to spoofing attacks.

Advisory Timeline

  • Published