CVE-2020-27826

Source
https://cve.org/CVERecord?id=CVE-2020-27826
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-27826.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2020-27826
Aliases
Downstream
Published
2021-05-28T11:15:07.670Z
Modified
2026-04-10T04:19:04.839565Z
Severity
  • 4.2 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N CVSS Calculator
Summary
[none]
Details

A flaw was found in Keycloak before version 12.0.0 where it is possible to update the user's metadata attributes using Account REST API. This flaw allows an attacker to change its own NameID attribute to impersonate the admin user for any particular application.

References

Affected packages

Git / github.com/keycloak/keycloak

Affected ranges

Type
GIT
Repo
https://github.com/keycloak/keycloak
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "12.0.0"
        }
    ]
}

Affected versions

1.*
1.0-alpha-1
1.0-alpha-1-12062013
1.0-alpha-2
1.0-alpha-3
1.0-beta-1
1.0-beta-2
1.0-beta-4
1.0-final
1.0-rc-1
1.0.0.Final
1.1.0.Beta2
1.3.0.Final
2.*
2.4.0.Test

Database specific

unresolved_ranges
[
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "7.4"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "7.4.4"
            }
        ]
    }
]
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-27826.json"