AgentReadyHomeAgent Listing

← Keycloak MCP Server

Keycloak MCP Server — agentic threat model

9.9AIVSS 9.9 · Critical

The Keycloak MCP Server presents an extremely high-risk profile because it exposes powerful administrative identity management capabilities directly to LLMs. Compromise or prompt injection could lead to unauthorized privilege escalation, realm modification, or full identity provider takeover.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 9.8AARS uplift 0.1Factor sum 4.6/10Threat ×1.1Mitigation ×1.0
Autonomy of Action
0.70
Goal-Driven Planning
0.40
Self-Modification
0.10
Dynamic Tool Use
0.90
Persistent Memory
0.20
Contextual Awareness
0.30
Dynamic Identity
0.80
Multi-Agent Interactions
0.50
Non-Determinism
0.30
Opacity & Reflexivity
0.40

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — The MCP server itself does not specify a foundation model, as it acts as a tool provider for external LLMs; however, adversarial prompt injection on the host LLM could trigger unauthorized Keycloak administrative actions.

L2 · Data Operations⚠ not certain from listing

Not certain from the listing — No internal vector database or RAG pipeline is described, but the agent queries and modifies highly sensitive identity data from Keycloak databases.

L3 · Agent Frameworks✓ mapped

Exposes roughly 40 MCP tools for Keycloak management. The primary threat is tool misuse or unauthorized tool execution, where an LLM is tricked into calling administrative tools (e.g., creating admin users or disabling MFA) via prompt injection.

L4 · Deployment & Infrastructure✓ mapped

The server holds critical Keycloak admin credentials. Compromise of the hosting environment or MCP transport layer would expose these credentials, leading to full identity provider takeover.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — No built-in guardrails, evaluation frameworks, or specialized logging are mentioned; standard MCP/Keycloak logs must be relied upon to detect anomalous tool invocations.

L6 · Security & Compliance (cross-cutting)✓ mapped

Directly impacts identity, authentication, and authorization. Misconfiguration or exploitation of this agent bypasses standard administrative controls, violating compliance frameworks like SOC2 or ISO 27001 by risking unauthorized privilege escalation.

L7 · Agent Ecosystem✓ mapped

As an MCP server, it is designed to be called by other agents or LLM clients. A compromised orchestrator agent or a malicious multi-agent workflow could abuse this agent to gain persistent backdoor access to the entire enterprise identity infrastructure.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).