CVE-2025-3910

Summary

A flaw was found in Keycloak. The org.keycloak.authorization package may be vulnerable to circumventing required actions, allowing users to circumvent requirements such as setting up two-factor authentication.

Affected Software

VendorProductVersion RangeStatus
25.0.0 < 25.*affected
26.0.0 < 26.0.11affected
26.1.0 < 26.1.*unknown
26.2.0 < 26.2.2affected
Red HatRed Hat build of Keycloak 26.026.0.11-2 < *unaffected
Red HatRed Hat build of Keycloak 26.026.0-12 < *unaffected
Red HatRed Hat build of Keycloak 26.026.0-13 < *unaffected

Weaknesses

  • CWE-287: Improper Authentication

Workarounds

No current mitigations are available for this vulnerability.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References