org.keycloak:keycloak-server-spi-private and org.keycloak:keycloak-services are vulnerable to Improper Authorization. The vulnerability exists under certain pre-conditions which allows an attacker to bypass authentication mechanisms via retrieving an access token for other OAuth clients, by using a device_code which was acquired through spoof parts of the device flow.Read More