CVE-2025-12150

Low CVSS: 3.1

A flaw was found in Keycloak’s WebAuthn registration component. This vulnerability allows an attacker to bypass the configured attestation policy and register untrusted or forged authenticators via submission of an attestation object with fmt: "none", even when the realm is configured to require direct attestation. This can lead to weakened authentication integrity and unauthorized authenticator registration.

Vendor

Redhat

Product

Build Of Keycloak

CWE

CWE-347

Yayın Tarihi

2026-02-27 09:16:15

Güncelleme

2026-03-05 02:19:42

Source Identifier

secalert@redhat.com

KEV Date Added

Kategoriler

CWE-347 Build Of Keycloak LOW Redhat 2026

Referanslar

https://access.redhat.com/errata/RHSA-2025:21370 https://access.redhat.com/errata/RHSA-2025:21371 https://access.redhat.com/errata/RHSA-2025:22088 https://access.redhat.com/errata/RHSA-2025:22089 https://access.redhat.com/security/cve/CVE-2025-12150 https://bugzilla.redhat.com/show_bug.cgi?id=2406192 https://github.com/keycloak/keycloak/issues/43723

Benzer Kayıtlar

High

CVE-2026-28369

A flaw was found in Undertow. When Undertow receives an HTTP request where the first header line starts with one or more…

High

CVE-2026-28368

A flaw was found in Undertow. This vulnerability allows a remote attacker to construct specially crafted requests where…

Medium

CVE-2026-3121

A flaw was found in Keycloak. An administrator with `manage-clients` permission can exploit a misconfiguration where thi…

Medium

CVE-2026-3190

A flaw was found in Keycloak. The User-Managed Access (UMA) 2.0 Protection API endpoint for permission tickets fails to…

Low

CVE-2026-4874

A flaw was found in Keycloak. An authenticated attacker can perform Server-Side Request Forgery (SSRF) by manipulating t…

Low

CVE-2026-4633

A flaw was found in Keycloak. A remote attacker can exploit differential error messages during the identity-first login…