CVE-2025-10939
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-28

Last updated on: 2025-11-13

Assigner: Red Hat, Inc.

Description
A flaw was found in Keycloak. The Keycloak guides recommend to not expose /admin path to the outside in case the installation is using a proxy. The issue occurs at least via ha-proxy, as it can be tricked to using relative/non-normalized paths to access the /admin application path relative to /realms which is expected to be exposed.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-28
Last Modified
2025-11-13
Generated
2026-06-16
AI Q&A
2025-10-28
EPSS Evaluated
2026-06-15
NVD
CVE-2025-10939
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
redhat keycloak 26.4.4
redhat keycloak 3.1
redhat keycloak-quarkus-server 26.4.4
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-427 The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in Keycloak involves a flaw where the /admin path can be accessed through relative or non-normalized paths when using a proxy like ha-proxy. Although Keycloak guides recommend not exposing the /admin path externally, this issue allows an attacker to bypass that restriction by tricking the proxy to access the /admin application path relative to /realms, which is normally exposed.

Impact Analysis

The vulnerability can allow unauthorized access to the /admin interface of Keycloak when using a proxy, potentially exposing administrative functions that should be protected. This could lead to unauthorized information disclosure or limited administrative access, although the CVSS score indicates a low severity impact with only confidentiality affected and no impact on integrity or availability.

Mitigation Strategies

To mitigate this vulnerability, ensure that the /admin path of Keycloak is not exposed to the outside when using a proxy. Follow Keycloak guides to restrict access to the /admin application path, especially when using proxies like ha-proxy, to prevent unauthorized access via relative or non-normalized paths.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-10939. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart