SB2025031143 - Multiple vulnerabilities in Keycloak
Published: March 11, 2025 Updated: June 29, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 vulnerabilities.
1) Improper access control (CVE-ID: CVE-2025-1391)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper mapping of users to organizations based solely on email/username patterns. A remote attacker can trick an organization administrator into allowing user access based on naming pattern if, for example, self-registration is enabled and unrestricted.
2) Improper authentication (CVE-ID: CVE-2025-0604)
CWE-ID: CWE-287 - Improper Authentication
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to bypass authentication process.
The vulnerability exists due to Keycloak does not perform an LDAP bind after a password reset. A remote user can bypass authentication process for expired or disabled AD accounts gain unauthorized access to the application.
3) Comparison using wrong factors (CVE-ID: CVE-2026-9800)
CWE-ID: CWE-1025 - Comparison using wrong factors
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to bypass authorization policies and gain unauthorized access to protected resources.
The vulnerability exists due to comparison using wrong factors in the Keycloak Policy Enforcer when handling request URLs containing the configured access-denied page path. A remote user can include the configured access-denied page path in a request URL as a path segment or query parameter to bypass authorization policies and gain unauthorized access to protected resources.
This can bypass role, scope, and User-Managed Access (UMA) permission checks.
Remediation
Install update from vendor's website.