A flaw was found in Keycloak. Certain endpoints in Keycloak's admin REST API allow low-privilege users to access administrative functionalities. This flaw allows users to perform actions reserved for administrators, potentially leading to data breaches or system compromise.
CVE-2024-3656
Score elevated to 9.0 because EPSS predicts 90% probability of exploitation within the next 30 days (top 0.4% of all CVEs). NVD baseline CVSS 8.1 retained for reference. Confidence: see factors.
- High severity, but no confirmed exploitation yet
A fix is available — apply it.
- CVSS v3
- 8.1
- EG Score
- 9.0(high)
- EPSS
- 85.0%
- KEV
- Not listed
Published
October 9, 2024
Last Modified
April 15, 2026
References (8)
- secalert@redhathttps://access.redhat.com/errata/RHSA-2024:3572
- secalert@redhathttps://access.redhat.com/errata/RHSA-2024:3575
- secalert@redhathttps://access.redhat.com/security/cve/CVE-2024-3656
- secalert@redhathttps://bugzilla.redhat.com/show_bug.cgi?id=2274403
- secalert@redhathttps://github.com/advisories/GHSA-2cww-fgmg-4jqc
- af854a3a-2127-422b-91ae-364da2661108https://github.com/hnsecurity/vulns/blob/main/HNS-2024-08-Keycloak.md
- af854a3a-2127-422b-91ae-364da2661108https://news.ycombinator.com/item?id=42136000
- af854a3a-2127-422b-91ae-364da2661108https://security.humanativaspa.it/an-analysis-of-the-keycloak-authentication-system/
Affected Packages
(1 across 1 ecosystem)
Maven(1)
| Package | Vulnerable range | Fixed in | Dependents |
|---|---|---|---|
| org.keycloak:keycloak-services | 1.0-alpha-1 ... 9.0.3 (173 versions) | 24.0.5 | — |
Weakness Classification(1)
MITRE Common Weakness Enumeration — the root-cause categories this CVE belongs to.
All Vendor Advisories
(2)
Every vendor that published an advisory referencing this CVE — pulled from our cve_vendor_advisories aggregation. Click any row for the vendor's original advisory page.
Publicly available exploits
(2 references)Working exploit code is in the public domain (1 GitHub PoC). Defenders should treat patch urgency accordingly — public PoCs typically lead to mass-exploitation within 24-72 hours.
- GitHub PoCh4x0r-dz/CVE-2024-3656First seen Oct 12, 2024
Keycloak admin API allows low privilege users to use administrative functions
Open source ↗ - Nucleihttp/cves/2024/CVE-2024-3656.yamlFirst seen Jan 1, 2024
Keycloak < 24.0.5 - Broken Access Control
Open source ↗
Related CVEs(same vendor + same CWE)
Same vendor
10 shownredhat
Same CWE
10 shownCWE-200
Frequently asked(5)
What is CVE-2024-3656?
When was CVE-2024-3656 disclosed?
Is CVE-2024-3656 actively exploited?
What is the CVSS score of CVE-2024-3656?
How do I remediate CVE-2024-3656?
Dependency Blast Radius
See which npm, PyPI, Go, and Maven packages are affected by CVE-2024-3656
Is Your Infrastructure Affected by CVE-2024-3656?
EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.