CVE-2025-0604
5.4
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Summary
A flaw was found in Keycloak. When an Active Directory user resets their password, the system updates it without performing an LDAP bind to validate the new credentials against AD. This vulnerability allows users whose AD accounts are expired or disabled to regain access in Keycloak, bypassing AD restrictions. The issue enables authentication bypass and could allow unauthorized access under certain conditions.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
0 < 26.0.10 | affected | ||
0 < 26.1.3 | affected | ||
| Red Hat | Red Hat build of Keycloak 26.0 | 26.0.10-3 < * | unaffected |
| Red Hat | Red Hat build of Keycloak 26.0 | 26.0-11 < * | unaffected |
| Red Hat | Red Hat build of Keycloak 26.0 | 26.0-12 < * | unaffected |
Weaknesses
- CWE-287: Improper Authentication
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://access.redhat.com/errata/RHSA-2025:2544
- https://access.redhat.com/errata/RHSA-2025:2545
- https://access.redhat.com/security/cve/CVE-2025-0604
- https://bugzilla.redhat.com/show_bug.cgi?id=2338993
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.