Authentication Bypass by Spoofing
Keycloak Device Authorization Grant is vulnerable to Client Spoofing. Under certain pre-conditions the vulnerability allows an attacker to spoof parts of the device flow and use a "device_code" to retrieve an access token for other OAuth clients. This issue affects versions prior to 21.1.2.
CWE-290 - Authentication Bypass by Spoofing
This attack-focused weakness is caused by improperly implemented authentication schemes that are subject to spoofing attacks.