Improper authentication in Keycloak - CVE-2025-12150

 

Improper authentication in Keycloak - CVE-2025-12150

Published: November 18, 2025


Vulnerability identifier: #VU118578
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2025-12150
CWE-ID: CWE-287
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Keycloak
Affected software:
Keycloak

Detailed vulnerability description

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to an error in WebAuthn Attestation Statement verification. The application allows registration of arbitrary authenticators even when direct attestation and AAGUID restrictions should be enforced. A remote attacker can bypass 2FA authentication process and gain unauthorized access to the application.


How to mitigate CVE-2025-12150

Install updates from vendor's website.

Sources