CVE-2025-10939
Org.keycloak/keycloak-quarkus-server: unable to restrict access to the admin console
Severity Score
3.7
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
Track
*SSVC
Descriptions
A flaw was found in Keycloak. The Keycloak guides recommend to not expose /admin path to the outside in case the installation is using a proxy. The issue occurs at least via ha-proxy, as it can be tricked to using relative/non-normalized paths to access the /admin application path relative to /realms which is expected to be exposed.
New images are available for Red Hat build of Keycloak 26.4.4 and Red Hat build of Keycloak 26.4.4 Operator, running on OpenShift Container Platform.
*Credits:
Red Hat would like to thank Sebastian Reigber (AEB) for reporting this issue.
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:Track
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2025-09-25 CVE Reserved
- 2025-10-28 CVE Published
- 2025-12-19 CVE Updated
- 2026-01-04 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-427: Uncontrolled Search Path Element
CAPEC
References (6)
| URL | Tag | Source |
|---|---|---|
| https://github.com/keycloak/keycloak/issues/43763 | ||
| https://github.com/keycloak/keycloak/pull/43765 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://access.redhat.com/security/cve/CVE-2025-10939 | 2025-10-28 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=2398025 | 2025-10-28 | |
| https://access.redhat.com/errata/RHSA-2025:21370 | 2025-12-19 | |
| https://access.redhat.com/errata/RHSA-2025:21371 | 2025-12-19 |