SB2025031143 - Multiple vulnerabilities in Keycloak



SB2025031143 - Multiple vulnerabilities in Keycloak

Published: March 11, 2025 Updated: June 29, 2026

Security Bulletin ID SB2025031143
CSH Severity
High
Patch available
YES
Number of vulnerabilities 3
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

Medium 67% Low 33%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 3 vulnerabilities.


1) Improper access control (CVE-ID: CVE-2025-1391)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper mapping of users to organizations based solely on email/username patterns. A remote attacker can trick an organization administrator into allowing user access based on naming pattern if, for example, self-registration is enabled and unrestricted.


2) Improper authentication (CVE-ID: CVE-2025-0604)

CWE-ID: CWE-287 - Improper Authentication

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to bypass authentication process.

The vulnerability exists due to Keycloak does not perform an LDAP bind after a password reset. A remote user can bypass authentication process for expired or disabled AD accounts gain unauthorized access to the application.


3) Comparison using wrong factors (CVE-ID: CVE-2026-9800)

CWE-ID: CWE-1025 - Comparison using wrong factors

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote user to bypass authorization policies and gain unauthorized access to protected resources.

The vulnerability exists due to comparison using wrong factors in the Keycloak Policy Enforcer when handling request URLs containing the configured access-denied page path. A remote user can include the configured access-denied page path in a request URL as a path segment or query parameter to bypass authorization policies and gain unauthorized access to protected resources.

This can bypass role, scope, and User-Managed Access (UMA) permission checks.


Remediation

Install update from vendor's website.