CVE-2024-7341 HIGH

CVE-2024-7341: Wildfly-elytron: org.keycloak/keycloak-services: session fixation in elytron saml adapters

Vendor Red Hat
Product Red Hat Build of Keycloak
Weakness CWE-384 · Session fixation
Published September 9, 2024
Last update April 1, 2026

CVSS base score

7.1/10
Attack vector Network
Attack complexity High
Privileges required Low
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

A session fixation issue was discovered in the SAML adapters provided by Keycloak. The session ID and JSESSIONID cookie are not changed at login time, even when the turnOffChangeSessionIdOnLogin option is configured. This flaw allows an attacker who hijacks the current session before authentication to trigger session fixation.

Key dates

02Disclosure timeline

September 9, 2024 CVE published
April 1, 2026 Record updated