Though there is a CSRF token used in the Keycloak Account service, there is CSRF token fixation vulnerability.
To prevent CSRF, a cookie named KEYCLOAK_STATE_CHECKER is used (CSRF defense method: "Double submit cookie"). The CSRF token is required to be unique for each session. But, as this cookie accepts user-agent provided value at login and doesn't clear the cookie at logout, the value of the CSRF token is same across sessions, for the users using the same user-agent.
This vulnerability can be exploited by an attacker to steal this cookie from the victim's browser, even when there is no active victim session. And then, the value can be used by the attacker to perform the CSRF attack. The impact of this attack can be as bad as an attacker taking over as the admin of the IDP and exploiting any application hosted using this IDP service.
A fix for the issue is requested here.
My question is: if there can be a solution/work-around to the problem, until an actual fix is provided?
The vulnerability is fixed in Keycloak version 3.3.0.Final. So, keycloak version can be updated to the latest, to overcome this vulnerability.