SB2025111840 - Multiple vulnerabilities in Red Hat build of Keycloak 26.4

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2025111840

SB2025111840 - Multiple vulnerabilities in Red Hat build of Keycloak 26.4

Published: November 18, 2025

Security Bulletin ID SB2025111840
Severity
Medium
Patch available
YES
Number of vulnerabilities 5
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

Medium 20% Low 80%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 5 secuirty vulnerabilities.


1) Protection mechanism failure (CVE-ID: CVE-2025-10939)

The vulnerability allows a remote attacker to gain access to the administrative interface.

The vulnerability exists due to incorrect processing of URL paths with certain proxy servers, such as ha-proxy. A remote attacker can force the application into using relative/non-normalized paths to access the /admin application path relative to /realms.


2) Configuration (CVE-ID: CVE-2025-11538)

The issue may allow a remote attacker to gain unauthorized access to the application.

The issue exists due to insecure default configuration of the server with enabled debug mode. The server binds by default the Java Debug Wire Protocol (JDWP) port to all network interfaces (0.0.0.0), exposing the interface to remote attackers. 


3) Insufficient session expiration (CVE-ID: CVE-2025-12110)

The vulnerability allows a remote attacker to compromise session of other users.

The vulnerability exists due to Keycloak does not invalidate offline sessions when the offline_access scope is removed. The refresh token is accepted and you can continue to request new tokens for the session. A remote authenticated attacker can compromise sessions of other user accounts.


4) Improper authentication (CVE-ID: CVE-2025-12150)

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to an error in WebAuthn Attestation Statement verification. The application allows registration of arbitrary authenticators even when direct attestation and AAGUID restrictions should be enforced. A remote attacker can bypass 2FA authentication process and gain unauthorized access to the application.


5) Session fixation (CVE-ID: CVE-2025-12390)

The vulnerability allows a local user to gain access to another session.

The vulnerability exists due to accidental session identifier reuse when logging in on the same device. A local user can get access to another user's session if both use the same device and browser.


Remediation

Install update from vendor's website.

References