CVE-2023-6787 is a vulnerability identified in Keycloak, an open-source identity and access management solution widely used for single sign-on and authentication services. The flaw is rooted in the re-authentication process within the org.keycloak.authentication module. Specifically, when a user session is active and a new authentication is triggered via the query parameter "prompt=login," the system prompts the user to re-enter credentials. If the user cancels this re-authentication by selecting the "Restart login" option, the system erroneously creates a new session with a different subject identifier (SUB) but retains the same session identifier (SID) as the original session. This session ID reuse allows an attacker to hijack the active session, effectively taking over the user's account without needing to know the user's credentials. The vulnerability is classified under CWE-287 (Improper Authentication) and has a CVSS v3.1 base score of 6.5, indicating medium severity. The attack vector is network-based, requires no privileges, but does require user interaction, specifically the cancellation of the re-authentication prompt. The impact primarily affects session integrity, allowing unauthorized session takeover, but does not compromise confidentiality or availability directly. No patches or exploits are currently publicly available, but the flaw poses a significant risk to environments relying on Keycloak for secure authentication.

For European organizations, this vulnerability poses a risk of unauthorized account takeover, which can lead to unauthorized access to sensitive internal systems, data leakage, and potential lateral movement within networks. Given Keycloak's role as a central authentication authority, exploitation could undermine trust in identity management and disrupt secure access to cloud services, enterprise applications, and internal portals. The impact is particularly critical for sectors handling sensitive personal data under GDPR, such as finance, healthcare, and government services, where session hijacking could lead to regulatory non-compliance and reputational damage. The requirement for user interaction limits automated exploitation but does not eliminate risk, especially in environments where social engineering or phishing could induce users to trigger the vulnerable flow. The lack of known exploits in the wild suggests a window for proactive mitigation, but organizations should act swiftly to prevent potential attacks.

Organizations should immediately review their Keycloak deployment configurations and monitor for any unusual session behaviors. Although no official patches are currently listed, administrators should: 1) Disable or restrict the use of the "prompt=login" parameter in authentication requests where feasible. 2) Implement strict session management policies that invalidate sessions upon re-authentication attempts or cancellation events. 3) Enhance user awareness training to reduce the likelihood of users canceling re-authentication prompts in suspicious contexts. 4) Employ multi-factor authentication (MFA) to add an additional layer of security beyond session tokens. 5) Monitor authentication logs for anomalies related to session restarts or multiple sessions sharing the same SID. 6) Stay updated with Keycloak vendor advisories for forthcoming patches and apply them promptly. 7) Consider deploying web application firewalls (WAF) rules to detect and block suspicious authentication flows involving the "prompt=login" parameter. These targeted steps go beyond generic advice by focusing on the specific mechanism exploited by this vulnerability.