Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2024-4540

CVE-2024-4540: Keycloak OAuth 2.0 PAR Info Disclosure

CVE-2024-4540 is an information disclosure flaw in Keycloak's OAuth 2.0 Pushed Authorization Requests that exposes client parameters in plain text via cookies. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2024-4540 Overview

CVE-2024-4540 is an information disclosure vulnerability in Keycloak's OAuth 2.0 Pushed Authorization Requests (PAR) implementation. The authorization server returns client-provided parameters in plain text inside the KC_RESTART cookie when responding to a request_uri authorization request. PAR exists specifically to keep authorization parameters confidential by transmitting them through a back-channel, so leaking them through a browser cookie defeats the security goal of the extension. The flaw is tracked under [CWE-312: Cleartext Storage of Sensitive Information] and was disclosed through multiple Red Hat Security Advisories covering Red Hat Single Sign-On and Red Hat build of Keycloak.

Critical Impact

Sensitive OAuth authorization parameters submitted through PAR may be exposed in cleartext via the KC_RESTART cookie, undermining the confidentiality guarantees of the PAR extension.

Affected Products

  • Red Hat build of Keycloak 22
  • Red Hat Single Sign-On 7
  • Keycloak instances implementing OAuth 2.0 Pushed Authorization Requests (PAR)

Discovery Timeline

  • 2024-06-03 - CVE-2024-4540 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2024-4540

Vulnerability Analysis

The vulnerability resides in how the Keycloak authorization server handles OAuth 2.0 Pushed Authorization Requests. PAR allows clients to send authorization parameters directly to the authorization server through an authenticated back-channel and then reference them using a short-lived request_uri. This pattern prevents sensitive parameters from appearing in browser URLs, logs, or referrer headers. Keycloak breaks this guarantee by serializing client-provided parameters into the KC_RESTART cookie that the server returns to the user agent during the subsequent request_uri authorization request. Because the cookie content is stored in plain text, any parameter the client intended to keep confidential through PAR becomes accessible to anything that can read the cookie, including browser extensions, malicious JavaScript executing in the same origin, or local attackers with access to the browser profile.

Root Cause

The root cause is improper handling of sensitive data classification in the PAR flow. The KC_RESTART cookie is used by Keycloak to preserve authorization state across redirects, but the implementation embeds the original request parameters in cleartext rather than referencing them by an opaque identifier or encrypting the payload. This violates the confidentiality model that PAR is designed to enforce, as documented in [CWE-312].

Attack Vector

The attack vector is network-based and requires no privileges or user interaction. An attacker positioned to read the user agent's cookies, whether through cross-site scripting in the Keycloak origin, a malicious browser extension, or filesystem access to the browser profile, can extract OAuth parameters that the client placed inside PAR. Recovered parameters may include client identifiers, scopes, requested claims, login hints, or other client-confidential context that PAR was meant to protect.

No verified public exploit code is available for CVE-2024-4540. Refer to the Red Hat CVE-2024-4540 Details page and Red Hat Bugzilla Report #2279303 for vendor analysis.

Detection Methods for CVE-2024-4540

Indicators of Compromise

  • Presence of KC_RESTART cookies containing readable OAuth parameters such as client_id, scope, redirect_uri, or login_hint in plain text.
  • Authorization server responses to request_uri requests that set the KC_RESTART cookie with decodable JWT payload containing client-submitted PAR parameters.
  • Unexpected access to browser storage or cookie jars on hosts that authenticate to a vulnerable Keycloak instance.

Detection Strategies

  • Inspect HTTP responses from /auth/realms/{realm}/protocol/openid-connect/auth for Set-Cookie: KC_RESTART= headers and decode the embedded JWT to verify whether PAR parameters appear in cleartext.
  • Audit Keycloak version metadata across all realms to identify instances running affected releases of Red Hat Single Sign-On 7 or Red Hat build of Keycloak 22.
  • Review web application firewall and reverse proxy logs for request_uri parameter usage tied to clients that rely on PAR for confidentiality.

Monitoring Recommendations

  • Forward Keycloak access logs and authorization endpoint telemetry to a centralized analytics platform and alert on anomalous cookie sizes or unexpected KC_RESTART issuance patterns.
  • Monitor for cross-site scripting attempts or browser-based cookie exfiltration targeting the Keycloak origin.
  • Track OAuth client behavior to identify clients that adopt PAR, since those are the integrations whose confidentiality guarantees this flaw breaks.

How to Mitigate CVE-2024-4540

Immediate Actions Required

  • Apply the Red Hat Security Advisories addressing CVE-2024-4540, including RHSA-2024:3566, RHSA-2024:3567, and the related advisories through RHSA-2024:3576.
  • Inventory all Keycloak and Red Hat Single Sign-On deployments and identify clients configured to use Pushed Authorization Requests.
  • Rotate any client secrets or sensitive parameters that may have been transmitted through PAR on a vulnerable server.

Patch Information

Red Hat published fixes through multiple advisories in June 2024 covering Red Hat build of Keycloak and Red Hat Single Sign-On. Operators should consult RHSA-2024:3568, RHSA-2024:3570, RHSA-2024:3572, RHSA-2024:3573, RHSA-2024:3574, and RHSA-2024:3575 to select the advisory matching their deployment channel and apply the fixed package versions.

Workarounds

  • Restrict use of PAR in client configurations until the patched Keycloak version is deployed if confidentiality of authorization parameters is a requirement.
  • Enforce strict Content Security Policy and cookie attributes (HttpOnly, Secure, SameSite=Strict) on the Keycloak origin to reduce the risk of cookie theft via cross-site scripting.
  • Limit network exposure of Keycloak administrative and authorization endpoints to trusted networks and identity-aware proxies until patching is complete.
bash
# Verify installed Keycloak/RHSSO package version and apply vendor updates
rpm -qa | grep -Ei 'keycloak|rh-sso'
sudo dnf update rh-sso7-keycloak
# Confirm the deployed build matches the version listed in the relevant RHSA-2024:35xx advisory

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne