Update out of scope items on security reports#759
Open
abstractj wants to merge 1 commit into
Open
Conversation
Signed-off-by: Bruno Oliveira da Silva <bruno@abstractj.com>
ahus1
requested changes
May 26, 2026
Member
ahus1
left a comment
ahus1
left a comment
There was a problem hiding this comment.
Thank you for the update. See below for some comments. Feel free to have a 1:1 call on these.
I realize I've made some changes in the past but didn't update the security.md file. Maybe you could convert the HTML to Markdown with a script to catch also the items I've added in the past.
| <li>Malicious or compromised administrator: Keycloak's threat model considers realm administrators as trusted. Reports that rely on leveraging legitimate administrator access to abuse extended rights will not be considered, as this applies to any application granting administrative privileges.</li> | ||
| <li>Cross-role administrative access between built-in admin roles (e.g., <code>manage-realm</code>, <code>manage-clients</code>, <code>manage-users</code>, <code>view-users</code>, <code>view-clients</code>, <code>query-groups</code>) without proven privilege escalation to a non-administrative user or PII leakage to an unauthenticated party. Administrators with any <code>manage-*</code> or <code>view-*</code> role are considered privileged; accessing data or performing actions across these roles does not constitute a vulnerability.</li> | ||
| <li>Informational disclosures without security impact, such as software fingerprinting, generic error messages, basic version strings, directory listings on non-critical paths, or stack traces that do not leak secrets, PII, or internal network structure.</li> | ||
| <li>Denial of Service (DoS), including Regular Expression DoS (ReDoS), resource exhaustion via caching, API abuse, or unbounded computations.</li> |
Member
There was a problem hiding this comment.
I don't agree with that:
- We've seen legitimate DoS in the past, and we want to continue to see reports. See [CVE-2026-7307] Denial of service when sending a crafted request to the /saml endpoint keycloak#49108 for an example
- ReDoS is a real threat. There might be a regex hard-coded in Keycloak, that is then triggered by an authenticated or unauthenticated user. This problem is real. A malicious admin could adds a regex that is problematic for ReDos: This might either be a malicious admin (we could discuss if this is part of what we want to accept - at least in a multi-tenant setup it could be problematic). Or an admin that puts a regex there by accident - and then it is still Keycloak's fault to accept it. A short google search revealed for example this article: https://www.iriusrisk.com/resources-blog/reducing-redos-attacks-in-our-software
| <li>Informational disclosures without security impact, such as software fingerprinting, generic error messages, basic version strings, directory listings on non-critical paths, or stack traces that do not leak secrets, PII, or internal network structure.</li> | ||
| <li>Denial of Service (DoS), including Regular Expression DoS (ReDoS), resource exhaustion via caching, API abuse, or unbounded computations.</li> | ||
| <li>Self-XSS or XSS that cannot impact other users (e.g., requires unlikely user interaction within the reporter's own session).</li> | ||
| <li>User or client enumeration. Confirming user existence is often intentional for usability or unavoidable; effective mitigations (MFA, brute-force protection) exist elsewhere.</li> |
Member
There was a problem hiding this comment.
We would still like to hear about enumeration, but we would treat them as hardening? Would that be a third category between in-scope and out-of-scope?
| <p>The following vulnerability classes are considered out of scope. Reports in these categories will generally be closed without action. We encourage reporters to review this list before submitting to help us focus on actionable security issues.</p> | ||
| <ul> | ||
| <li>Malicious or compromised administrator: Keycloak's threat model considers realm administrators as trusted. Reports that rely on leveraging legitimate administrator access to abuse extended rights will not be considered, as this applies to any application granting administrative privileges.</li> | ||
| <li>Cross-role administrative access between built-in admin roles (e.g., <code>manage-realm</code>, <code>manage-clients</code>, <code>manage-users</code>, <code>view-users</code>, <code>view-clients</code>, <code>query-groups</code>) without proven privilege escalation to a non-administrative user or PII leakage to an unauthenticated party. Administrators with any <code>manage-*</code> or <code>view-*</code> role are considered privileged; accessing data or performing actions across these roles does not constitute a vulnerability.</li> |
Member
There was a problem hiding this comment.
The wording surprises me: Why would I have roles in the first place if they can still "access data or performing actions across these roles"? Is "these roles" consider the assigned roles, or also the not assigned roles? Either this is vague, or maybe it is saying: We know it is broken, don't report this any more until we eventually fix it?
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
After your approval I will update the SECURITY.md file.