keycloak-services is vulnerable to user deletion through an incorrect permissions check. A malicious user that has access to a service account can delete users in a seperate realm.
lists.jboss.org/pipermail/keycloak-user/2016-October/007914.html
rhn.redhat.com/errata/RHSA-2017-0876.html
www.securityfocus.com/bid/97392
www.securitytracker.com/id/1038180
access.redhat.com/errata/RHSA-2017:0872
access.redhat.com/errata/RHSA-2017:0873
bugzilla.redhat.com/show_bug.cgi?id=1388988
github.com/keycloak/keycloak/pull/3440