Hi,

We have found the security issue that httpOnly flag is not set for KeyCloak for specifically urls as below:

http://URL/auth/admin/master/console