Home

Description

A flaw was found in Keycloak. Keycloak’s account console and other pages accept arbitrary text in the error_description query parameter. This text is directly rendered in error pages without validation or sanitization. While HTML encoding prevents XSS, an attacker can craft URLs with misleading messages (e.g., fake support phone numbers or URLs), which are displayed within the trusted Keycloak UI. This creates a phishing vector, potentially tricking users into contacting malicious actors.

PUBLISHED Reserved 2025-09-05 | Published 2025-09-05 | Updated 2025-09-22 | Assigner redhat




MEDIUM: 4.3CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Problem types

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Product status

Default status
affected

26.2.9-1 (rpm) before *
unaffected

Default status
affected

26.2-9 (rpm) before *
unaffected

Default status
affected

26.2-9 (rpm) before *
unaffected

Default status
unaffected

Timeline

2025-09-05:Reported to Red Hat.
2025-09-05:Made public.

References

access.redhat.com/errata/RHSA-2025:16399 (RHSA-2025:16399) vendor-advisory

access.redhat.com/errata/RHSA-2025:16400 (RHSA-2025:16400) vendor-advisory

access.redhat.com/security/cve/CVE-2025-10044 vdb-entry

bugzilla.redhat.com/show_bug.cgi?id=2393551 (RHBZ#2393551) issue-tracking

cve.org (CVE-2025-10044)

nvd.nist.gov (CVE-2025-10044)

Download JSON