CVE-2020-27826 log

Severity Medium
Remote Yes
Type Privilege escalation
A flaw was found in keycloak versions prior to 12.0.0 where it is possible to update the user's meta-data attributes using Account REST API. It is now possible for any evil user to change its own NameID attribute to impersonate the admin user for any particular application.
Group Package Affected Fixed Severity Status Ticket
AVG-1373 keycloak 11.0.3-1 12.0.0-1 Medium Fixed