CVE-2023-6563 HIGH

CVE-2023-6563: Keycloak: offline session token dos

Vendor Red Hat
Product Single Sign-On 7.6.6
Weakness CWE-770 · Uncontrolled resource consumption
Published December 14, 2023
Last update November 11, 2025

CVSS base score

7.7/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H

What the vulnerability does

01Description

An unconstrained memory consumption vulnerability was discovered in Keycloak. It can be triggered in environments which have millions of offline tokens (> 500,000 users with each having at least 2 saved sessions). If an attacker creates two or more user sessions and then open the "consents" tab of the admin User Interface, the UI attempts to load a huge number of offline client sessions leading to excessive memory and CPU consumption which could potentially crash the entire system.

Key dates

02Disclosure timeline

December 14, 2023 CVE published
November 11, 2025 Record updated