Home
MEDIUM: 5.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:NDefault status
unaffected
25.0.0 (semver) before 25.*
affected
26.0.0 (semver) before 26.0.11
affected
26.1.0 (semver) before 26.1.*
unknown
26.2.0 (semver) before 26.2.2
affected
Default status
unaffected
Default status
affected
26.0.11-2 (rpm) before *
unaffected
Default status
affected
26.0-12 (rpm) before *
unaffected
Default status
affected
26.0-13 (rpm) before *
unaffected
Description
A flaw was found in Keycloak. The org.keycloak.authorization package may be vulnerable to circumventing required actions, allowing users to circumvent requirements such as setting up two-factor authentication.
Problem types
Product status
25.0.0 (semver) before 25.*
26.0.0 (semver) before 26.0.11
26.1.0 (semver) before 26.1.*
26.2.0 (semver) before 26.2.2
26.0.11-2 (rpm) before *
26.0-12 (rpm) before *
26.0-13 (rpm) before *
Timeline
| 2025-04-23: | Reported to Red Hat. |
| 2025-04-29: | Made public. |
Credits
This issue was discovered by Marek Posolda (Red Hat).
References
access.redhat.com/errata/RHSA-2025:4335 (RHSA-2025:4335)
access.redhat.com/errata/RHSA-2025:4336 (RHSA-2025:4336)
access.redhat.com/security/cve/CVE-2025-3910
bugzilla.redhat.com/show_bug.cgi?id=2361923 (RHBZ#2361923)
github.com/keycloak/keycloak/issues/39349