CVE-2025-10939
Org.keycloak/keycloak-quarkus-server: unable to restrict access to the admin console
A flaw was found in Keycloak. The Keycloak guides recommend to not expose /admin path to the outside in case the installation is using a proxy. The issue occurs at least via ha-proxy, as it can be tricked to using relative/non-normalized paths to access the /admin application path relative to /realms which is expected to be exposed.
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Productos afectados
Keycloak · keycloakRed Hat · Red Hat build of Keycloak 26.4Red Hat · Red Hat build of Keycloak 26.4.4¿Quieres saber si tu infraestructura está expuesta a esto?
Hablar con TrueHacking →Referencias
https://access.redhat.com/errata/RHSA-2025:21370https://access.redhat.com/errata/RHSA-2025:21371https://access.redhat.com/security/cve/CVE-2025-10939https://bugzilla.redhat.com/show_bug.cgi?id=2398025https://github.com/keycloak/keycloak/issues/43763https://github.com/keycloak/keycloak/pull/43765