A flaw was found in the keycloak-services component of Keycloak. This vulnerability allows the issuance of access and refresh tokens for disabled users, leading to unauthorized use of previously revoked privileges, via a business logic vulnerability in the Token Exchange implementation when a privileged client invokes the token exchange flow.
Exploitability
AV:NAC:LPR:HUI:NScope
S:UImpact
C:HI:HA:N6.5/CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:NOther