Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2025-13467 (GCVE-0-2025-13467)
Vulnerability from cvelistv5 – Published: 2025-11-25 16:02 – Updated: 2025-12-23 21:00
VLAI
EPSS
Title
Org.keycloak.storage.ldap: keycloak: deserialization of untrusted data in ldap user federation
Summary
A flaw was found in the Keycloak LDAP User Federation provider. This vulnerability allows an authenticated realm administrator to trigger deserialization of untrusted Java objects via a malicious LDAP server configuration.
Severity
5.5 (Medium)
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
8 references
| URL | Tags |
|---|---|
| https://access.redhat.com/errata/RHSA-2025:22088 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2025:22089 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2025:22090 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2025:22091 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/security/cve/CVE-2025-13467 | vdb-entryx_refsource_REDHAT |
| https://bugzilla.redhat.com/show_bug.cgi?id=2416038 | issue-trackingx_refsource_REDHAT |
| https://github.com/keycloak/keycloak/commit/754c0… | |
| https://github.com/keycloak/keycloak/issues/44478 |
Impacted products
9 products
| Vendor | Product | Version | |
|---|---|---|---|
| Keycloak | Keycloak |
Affected:
0 , < 26.4.6
(semver)
|
|
| Red Hat | Red Hat build of Keycloak 26.2 |
Unaffected:
26.2.11-1 , < *
(rpm)
cpe:/a:redhat:build_keycloak:26.2::el9 |
|
| Red Hat | Red Hat build of Keycloak 26.2 |
Unaffected:
26.2-12 , < *
(rpm)
cpe:/a:redhat:build_keycloak:26.2::el9 |
|
| Red Hat | Red Hat build of Keycloak 26.2 |
Unaffected:
26.2-12 , < *
(rpm)
cpe:/a:redhat:build_keycloak:26.2::el9 |
|
| Red Hat | Red Hat build of Keycloak 26.2.11 |
cpe:/a:redhat:build_keycloak:26.2::el9 |
|
| Red Hat | Red Hat build of Keycloak 26.4 |
Unaffected:
26.4.6-1 , < *
(rpm)
cpe:/a:redhat:build_keycloak:26.4::el9 |
|
| Red Hat | Red Hat build of Keycloak 26.4 |
Unaffected:
26.4-6 , < *
(rpm)
cpe:/a:redhat:build_keycloak:26.4::el9 |
|
| Red Hat | Red Hat build of Keycloak 26.4 |
Unaffected:
26.4-5 , < *
(rpm)
cpe:/a:redhat:build_keycloak:26.4::el9 |
|
| Red Hat | Red Hat build of Keycloak 26.4.6 |
cpe:/a:redhat:build_keycloak:26.4::el9 |
Date Public
2025-11-25 00:00
Credits
Red Hat would like to thank Icare & truff (YWH) for reporting this issue.
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-13467",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-25T16:28:07.106292Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-25T16:28:32.684Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/keycloak/keycloak",
"defaultStatus": "unaffected",
"packageName": "keycloak",
"product": "Keycloak",
"vendor": "Keycloak",
"versions": [
{
"lessThan": "26.4.6",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:build_keycloak:26.2::el9"
],
"defaultStatus": "affected",
"packageName": "rhbk/keycloak-operator-bundle",
"product": "Red Hat build of Keycloak 26.2",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "26.2.11-1",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:build_keycloak:26.2::el9"
],
"defaultStatus": "affected",
"packageName": "rhbk/keycloak-rhel9",
"product": "Red Hat build of Keycloak 26.2",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "26.2-12",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:build_keycloak:26.2::el9"
],
"defaultStatus": "affected",
"packageName": "rhbk/keycloak-rhel9-operator",
"product": "Red Hat build of Keycloak 26.2",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "26.2-12",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:build_keycloak:26.2::el9"
],
"defaultStatus": "unaffected",
"packageName": "keycloak",
"product": "Red Hat build of Keycloak 26.2.11",
"vendor": "Red Hat"
},
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:build_keycloak:26.4::el9"
],
"defaultStatus": "affected",
"packageName": "rhbk/keycloak-operator-bundle",
"product": "Red Hat build of Keycloak 26.4",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "26.4.6-1",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:build_keycloak:26.4::el9"
],
"defaultStatus": "affected",
"packageName": "rhbk/keycloak-rhel9",
"product": "Red Hat build of Keycloak 26.4",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "26.4-6",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:build_keycloak:26.4::el9"
],
"defaultStatus": "affected",
"packageName": "rhbk/keycloak-rhel9-operator",
"product": "Red Hat build of Keycloak 26.4",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "26.4-5",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:build_keycloak:26.4::el9"
],
"defaultStatus": "unaffected",
"packageName": "keycloak",
"product": "Red Hat build of Keycloak 26.4.6",
"vendor": "Red Hat"
}
],
"credits": [
{
"lang": "en",
"value": "Red Hat would like to thank Icare \u0026 truff (YWH) for reporting this issue."
}
],
"datePublic": "2025-11-25T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in the Keycloak LDAP User Federation provider. This vulnerability allows an authenticated realm administrator to trigger deserialization of untrusted Java objects via a malicious LDAP server configuration."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Moderate"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-23T21:00:22.666Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "RHSA-2025:22088",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2025:22088"
},
{
"name": "RHSA-2025:22089",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2025:22089"
},
{
"name": "RHSA-2025:22090",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2025:22090"
},
{
"name": "RHSA-2025:22091",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2025:22091"
},
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2025-13467"
},
{
"name": "RHBZ#2416038",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2416038"
},
{
"url": "https://github.com/keycloak/keycloak/commit/754c070cf8ca187dcc71f0f72ff3130ff2195328"
},
{
"url": "https://github.com/keycloak/keycloak/issues/44478"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-11-20T03:12:47.343Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2025-11-25T00:00:00.000Z",
"value": "Made public."
}
],
"title": "Org.keycloak.storage.ldap: keycloak: deserialization of untrusted data in ldap user federation",
"workarounds": [
{
"lang": "en",
"value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."
}
],
"x_generator": {
"engine": "cvelib 1.8.0"
},
"x_redhatCweChain": "CWE-502: Deserialization of Untrusted Data"
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2025-13467",
"datePublished": "2025-11-25T16:02:21.105Z",
"dateReserved": "2025-11-20T03:12:40.336Z",
"dateUpdated": "2025-12-23T21:00:22.666Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2025-13467",
"date": "2026-05-28",
"epss": "0.00062",
"percentile": "0.19597"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2025-13467\",\"sourceIdentifier\":\"secalert@redhat.com\",\"published\":\"2025-11-25T16:16:06.623\",\"lastModified\":\"2025-12-23T21:15:47.077\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A flaw was found in the Keycloak LDAP User Federation provider. This vulnerability allows an authenticated realm administrator to trigger deserialization of untrusted Java objects via a malicious LDAP server configuration.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"secalert@redhat.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.3,\"impactScore\":2.7}]},\"weaknesses\":[{\"source\":\"secalert@redhat.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-502\"}]}],\"references\":[{\"url\":\"https://access.redhat.com/errata/RHSA-2025:22088\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2025:22089\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2025:22090\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2025:22091\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://access.redhat.com/security/cve/CVE-2025-13467\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=2416038\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://github.com/keycloak/keycloak/commit/754c070cf8ca187dcc71f0f72ff3130ff2195328\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://github.com/keycloak/keycloak/issues/44478\",\"source\":\"secalert@redhat.com\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-13467\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-11-25T16:28:07.106292Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-11-25T16:28:27.482Z\"}}], \"cna\": {\"title\": \"Org.keycloak.storage.ldap: keycloak: deserialization of untrusted data in ldap user federation\", \"credits\": [{\"lang\": \"en\", \"value\": \"Red Hat would like to thank Icare \u0026 truff (YWH) for reporting this issue.\"}], \"metrics\": [{\"other\": {\"type\": \"Red Hat severity rating\", \"content\": {\"value\": \"Moderate\", \"namespace\": \"https://access.redhat.com/security/updates/classification/\"}}}, {\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 5.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"HIGH\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"Keycloak\", \"product\": \"Keycloak\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"26.4.6\", \"versionType\": \"semver\"}], \"packageName\": \"keycloak\", \"collectionURL\": \"https://github.com/keycloak/keycloak\", \"defaultStatus\": \"unaffected\"}, {\"cpes\": [\"cpe:/a:redhat:build_keycloak:26.2::el9\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat build of Keycloak 26.2\", \"versions\": [{\"status\": \"unaffected\", \"version\": \"26.2.11-1\", \"lessThan\": \"*\", \"versionType\": \"rpm\"}], \"packageName\": \"rhbk/keycloak-operator-bundle\", \"collectionURL\": \"https://catalog.redhat.com/software/containers/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:build_keycloak:26.2::el9\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat build of Keycloak 26.2\", \"versions\": [{\"status\": \"unaffected\", \"version\": \"26.2-12\", \"lessThan\": \"*\", \"versionType\": \"rpm\"}], \"packageName\": \"rhbk/keycloak-rhel9\", \"collectionURL\": \"https://catalog.redhat.com/software/containers/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:build_keycloak:26.2::el9\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat build of Keycloak 26.2\", \"versions\": [{\"status\": \"unaffected\", \"version\": \"26.2-12\", \"lessThan\": \"*\", \"versionType\": \"rpm\"}], \"packageName\": \"rhbk/keycloak-rhel9-operator\", \"collectionURL\": \"https://catalog.redhat.com/software/containers/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:build_keycloak:26.2::el9\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat build of Keycloak 26.2.11\", \"packageName\": \"keycloak\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"unaffected\"}, {\"cpes\": [\"cpe:/a:redhat:build_keycloak:26.4::el9\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat build of Keycloak 26.4\", \"versions\": [{\"status\": \"unaffected\", \"version\": \"26.4.6-1\", \"lessThan\": \"*\", \"versionType\": \"rpm\"}], \"packageName\": \"rhbk/keycloak-operator-bundle\", \"collectionURL\": \"https://catalog.redhat.com/software/containers/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:build_keycloak:26.4::el9\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat build of Keycloak 26.4\", \"versions\": [{\"status\": \"unaffected\", \"version\": \"26.4-6\", \"lessThan\": \"*\", \"versionType\": \"rpm\"}], \"packageName\": \"rhbk/keycloak-rhel9\", \"collectionURL\": \"https://catalog.redhat.com/software/containers/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:build_keycloak:26.4::el9\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat build of Keycloak 26.4\", \"versions\": [{\"status\": \"unaffected\", \"version\": \"26.4-5\", \"lessThan\": \"*\", \"versionType\": \"rpm\"}], \"packageName\": \"rhbk/keycloak-rhel9-operator\", \"collectionURL\": \"https://catalog.redhat.com/software/containers/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:build_keycloak:26.4::el9\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat build of Keycloak 26.4.6\", \"packageName\": \"keycloak\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"unaffected\"}], \"timeline\": [{\"lang\": \"en\", \"time\": \"2025-11-20T03:12:47.343Z\", \"value\": \"Reported to Red Hat.\"}, {\"lang\": \"en\", \"time\": \"2025-11-25T00:00:00.000Z\", \"value\": \"Made public.\"}], \"datePublic\": \"2025-11-25T00:00:00.000Z\", \"references\": [{\"url\": \"https://access.redhat.com/errata/RHSA-2025:22088\", \"name\": \"RHSA-2025:22088\", \"tags\": [\"vendor-advisory\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2025:22089\", \"name\": \"RHSA-2025:22089\", \"tags\": [\"vendor-advisory\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2025:22090\", \"name\": \"RHSA-2025:22090\", \"tags\": [\"vendor-advisory\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2025:22091\", \"name\": \"RHSA-2025:22091\", \"tags\": [\"vendor-advisory\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://access.redhat.com/security/cve/CVE-2025-13467\", \"tags\": [\"vdb-entry\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://bugzilla.redhat.com/show_bug.cgi?id=2416038\", \"name\": \"RHBZ#2416038\", \"tags\": [\"issue-tracking\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://github.com/keycloak/keycloak/commit/754c070cf8ca187dcc71f0f72ff3130ff2195328\"}, {\"url\": \"https://github.com/keycloak/keycloak/issues/44478\"}], \"workarounds\": [{\"lang\": \"en\", \"value\": \"Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.\"}], \"x_generator\": {\"engine\": \"cvelib 1.8.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"A flaw was found in the Keycloak LDAP User Federation provider. This vulnerability allows an authenticated realm administrator to trigger deserialization of untrusted Java objects via a malicious LDAP server configuration.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-502\", \"description\": \"Deserialization of Untrusted Data\"}]}], \"providerMetadata\": {\"orgId\": \"53f830b8-0a3f-465b-8143-3b8a9948e749\", \"shortName\": \"redhat\", \"dateUpdated\": \"2025-12-23T21:00:22.666Z\"}, \"x_redhatCweChain\": \"CWE-502: Deserialization of Untrusted Data\"}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-13467\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-12-23T21:00:22.666Z\", \"dateReserved\": \"2025-11-20T03:12:40.336Z\", \"assignerOrgId\": \"53f830b8-0a3f-465b-8143-3b8a9948e749\", \"datePublished\": \"2025-11-25T16:02:21.105Z\", \"assignerShortName\": \"redhat\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
FKIE_CVE-2025-13467
Vulnerability from fkie_nvd - Published: 2025-11-25 16:16 - Updated: 2026-04-15 00:35
Severity
Summary
A flaw was found in the Keycloak LDAP User Federation provider. This vulnerability allows an authenticated realm administrator to trigger deserialization of untrusted Java objects via a malicious LDAP server configuration.
References
Impacted products
| Vendor | Product | Version |
|---|
{
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in the Keycloak LDAP User Federation provider. This vulnerability allows an authenticated realm administrator to trigger deserialization of untrusted Java objects via a malicious LDAP server configuration."
}
],
"id": "CVE-2025-13467",
"lastModified": "2026-04-15T00:35:42.020",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "secalert@redhat.com",
"type": "Secondary"
}
]
},
"published": "2025-11-25T16:16:06.623",
"references": [
{
"source": "secalert@redhat.com",
"url": "https://access.redhat.com/errata/RHSA-2025:22088"
},
{
"source": "secalert@redhat.com",
"url": "https://access.redhat.com/errata/RHSA-2025:22089"
},
{
"source": "secalert@redhat.com",
"url": "https://access.redhat.com/errata/RHSA-2025:22090"
},
{
"source": "secalert@redhat.com",
"url": "https://access.redhat.com/errata/RHSA-2025:22091"
},
{
"source": "secalert@redhat.com",
"url": "https://access.redhat.com/security/cve/CVE-2025-13467"
},
{
"source": "secalert@redhat.com",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2416038"
},
{
"source": "secalert@redhat.com",
"url": "https://github.com/keycloak/keycloak/commit/754c070cf8ca187dcc71f0f72ff3130ff2195328"
},
{
"source": "secalert@redhat.com",
"url": "https://github.com/keycloak/keycloak/issues/44478"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-502"
}
],
"source": "secalert@redhat.com",
"type": "Secondary"
}
]
}
GHSA-4HX9-48XH-5MXR
Vulnerability from github – Published: 2025-12-19 21:31 – Updated: 2026-02-17 17:48
VLAI
Summary
Keycloak LDAP User Federation provider enables admin-triggered untrusted Java deserialization
Details
A flaw was found in the Keycloak LDAP User Federation provider. This vulnerability allows an authenticated realm administrator to trigger deserialization of untrusted Java objects via a malicious LDAP server configuration.
Mitigation
Disable LDAP referrals in all LDAP user providers in all realms if projects cannot upgrade to the patched versions.
Severity
5.5 (Medium)
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.keycloak:keycloak-ldap-federation"
},
"ranges": [
{
"events": [
{
"introduced": "26.3.0"
},
{
"fixed": "26.4.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.keycloak:keycloak-ldap-federation"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "26.2.11"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-13467"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": true,
"github_reviewed_at": "2025-12-19T21:31:05Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "A flaw was found in the Keycloak LDAP User Federation provider. This vulnerability allows an authenticated realm administrator to trigger deserialization of untrusted Java objects via a malicious LDAP server configuration.\n\n### Mitigation\n\nDisable LDAP referrals in all LDAP user providers in all realms if projects cannot upgrade to the patched versions.",
"id": "GHSA-4hx9-48xh-5mxr",
"modified": "2026-02-17T17:48:45Z",
"published": "2025-12-19T21:31:05Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/keycloak/keycloak/security/advisories/GHSA-4hx9-48xh-5mxr"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13467"
},
{
"type": "WEB",
"url": "https://github.com/keycloak/keycloak/issues/44478"
},
{
"type": "WEB",
"url": "https://github.com/keycloak/keycloak/commit/754c070cf8ca187dcc71f0f72ff3130ff2195328"
},
{
"type": "WEB",
"url": "https://github.com/keycloak/keycloak/commit/b90fec41ff17a70858d830750156a8a2e13ddb82"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:22088"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2025-13467"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2416038"
},
{
"type": "PACKAGE",
"url": "https://github.com/keycloak/keycloak"
},
{
"type": "WEB",
"url": "https://github.com/keycloak/keycloak/releases/tag/26.4.6"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Keycloak LDAP User Federation provider enables admin-triggered untrusted Java deserialization"
}
GHSA-93VM-MQPW-8WH3
Vulnerability from github – Published: 2025-11-25 18:32 – Updated: 2025-12-23 21:30
VLAI
Summary
Duplicate Advisory: Keycloak LDAP User Federation provider enables admin-triggered untrusted Java deserialization
Details
Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-4hx9-48xh-5mxr. This link is maintained to preserve external references.
Original Description
A flaw was found in the Keycloak LDAP User Federation provider. This vulnerability allows an authenticated realm administrator to trigger deserialization of untrusted Java objects via a malicious LDAP server configuration.
Severity
5.5 (Medium)
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.keycloak:keycloak-ldap-federation"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "26.4.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": true,
"github_reviewed_at": "2025-11-26T22:01:36Z",
"nvd_published_at": "2025-11-25T16:16:06Z",
"severity": "MODERATE"
},
"details": "### Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-4hx9-48xh-5mxr. This link is maintained to preserve external references.\n\n### Original Description\n\nA flaw was found in the Keycloak LDAP User Federation provider. This vulnerability allows an authenticated realm administrator to trigger deserialization of untrusted Java objects via a malicious LDAP server configuration.",
"id": "GHSA-93vm-mqpw-8wh3",
"modified": "2025-12-23T21:30:23Z",
"published": "2025-11-25T18:32:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13467"
},
{
"type": "WEB",
"url": "https://github.com/keycloak/keycloak/issues/44478"
},
{
"type": "WEB",
"url": "https://github.com/keycloak/keycloak/commit/754c070cf8ca187dcc71f0f72ff3130ff2195328"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:22088"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:22089"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:22090"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:22091"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2025-13467"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2416038"
},
{
"type": "PACKAGE",
"url": "https://github.com/keycloak/keycloak"
},
{
"type": "WEB",
"url": "https://github.com/keycloak/keycloak/releases/tag/26.4.6"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Duplicate Advisory: Keycloak LDAP User Federation provider enables admin-triggered untrusted Java deserialization",
"withdrawn": "2025-12-19T21:27:08Z"
}
RHSA-2025:22088
Vulnerability from csaf_redhat - Published: 2025-11-25 16:12 - Updated: 2026-03-18 03:12Summary
Red Hat Security Advisory: Red Hat build of Keycloak 26.2.11 Images Security Update
Severity
Moderate
Notes
Topic: New images are available for Red Hat build of Keycloak 26.2.11 and Red Hat build of Keycloak 26.2.11 Operator, running on OpenShift Container Platform
Details: Red Hat build of Keycloak is an integrated sign-on solution, available as a Red Hat JBoss Middleware for OpenShift containerized image. The Red Hat build of Keycloak for OpenShift image provides an authentication server that you can use to log in centrally, log out, and register. You can also manage user accounts for web applications, mobile applications, and RESTful web services.
Red Hat build of Keycloak Operator for OpenShift simplifies deployment and management of Keycloak 26.2.11 clusters.
This erratum releases new images for Red Hat build of Keycloak 26.2.11 for use within the OpenShift Container Platform cloud computing Platform-as-a-Service (PaaS) for on-premise or private cloud deployments, aligning with the standalone product release.
Security fixes:
* Deserialization of Untrusted Data in LDAP User Federation (CVE-2025-13467)
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in Keycloak. Keycloak does not immediately enforce the disabling of the "Remember Me" realm setting on existing user sessions. Sessions created while "Remember Me" was active retain their extended session lifetime until they expire, overriding the administrator's recent security configuration change. This is a logic flaw in session management increases the potential window for successful session hijacking or unauthorized long-term access persistence. The flaw lies in the session expiration logic relying on the session-local "remember-me" flag without validating the current realm-level configuration.
5.4 (Medium)
Affected products
Fixed
9 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHBK-26.2:rhbk/keycloak-operator-bundle@sha256:dbebd9c370278ca9745863823ea05be8026400f70ada7650d65ef381841bfc5b_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:56c72c8a7c8fc6dc429272f50d1ca7d2c1f3c20819f86c314ecd16df7067f348_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:57d64e64c4b64a802faf366d4e156d01b04c2fbb3d866b123ac4c2f82968a46f_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:b9525ea17de357c938972cc8c6cf78ba1fc1902901e1759908e9fcb2c0e72aed_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:d7602888e037d4d5bba73f896e4537721130464ef82406c31a445701f015f93b_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:31618f217a7d9a08945106f507dd0ca02b3850d183c4915311203423204a4c03_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:527c210541d8669a7b08029be54f411512f14fe887d92569801e8801f8c001f5_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:8c52f172dd64c5d4a4078a3d9af16612151607332eea832c6ded4600d71c68ca_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:c9da93981df5435ded6a22b5a36876c4a10f66ebc4d4f91fdd9e2084e6b60a2f_arm64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in Keycloak. An offline session continues to be valid when the offline_access scope is removed from the client. The refresh token is accepted and you can continue to request new tokens for the session. As it can lead to a situation where an administrator removes the scope, and assumes that offline sessions are no longer available, but they are.
5.4 (Medium)
Affected products
Fixed
9 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHBK-26.2:rhbk/keycloak-operator-bundle@sha256:dbebd9c370278ca9745863823ea05be8026400f70ada7650d65ef381841bfc5b_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:56c72c8a7c8fc6dc429272f50d1ca7d2c1f3c20819f86c314ecd16df7067f348_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:57d64e64c4b64a802faf366d4e156d01b04c2fbb3d866b123ac4c2f82968a46f_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:b9525ea17de357c938972cc8c6cf78ba1fc1902901e1759908e9fcb2c0e72aed_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:d7602888e037d4d5bba73f896e4537721130464ef82406c31a445701f015f93b_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:31618f217a7d9a08945106f507dd0ca02b3850d183c4915311203423204a4c03_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:527c210541d8669a7b08029be54f411512f14fe887d92569801e8801f8c001f5_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:8c52f172dd64c5d4a4078a3d9af16612151607332eea832c6ded4600d71c68ca_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:c9da93981df5435ded6a22b5a36876c4a10f66ebc4d4f91fdd9e2084e6b60a2f_arm64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in Keycloak’s WebAuthn registration component. This vulnerability allows an attacker to bypass the configured attestation policy and register untrusted or forged authenticators via submission of an attestation object with fmt: "none", even when the realm is configured to require direct attestation. This can lead to weakened authentication integrity and unauthorized authenticator registration.
CWE-347 - Improper Verification of Cryptographic SignatureAffected products
Fixed
9 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHBK-26.2:rhbk/keycloak-operator-bundle@sha256:dbebd9c370278ca9745863823ea05be8026400f70ada7650d65ef381841bfc5b_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:56c72c8a7c8fc6dc429272f50d1ca7d2c1f3c20819f86c314ecd16df7067f348_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:57d64e64c4b64a802faf366d4e156d01b04c2fbb3d866b123ac4c2f82968a46f_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:b9525ea17de357c938972cc8c6cf78ba1fc1902901e1759908e9fcb2c0e72aed_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:d7602888e037d4d5bba73f896e4537721130464ef82406c31a445701f015f93b_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:31618f217a7d9a08945106f507dd0ca02b3850d183c4915311203423204a4c03_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:527c210541d8669a7b08029be54f411512f14fe887d92569801e8801f8c001f5_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:8c52f172dd64c5d4a4078a3d9af16612151607332eea832c6ded4600d71c68ca_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:c9da93981df5435ded6a22b5a36876c4a10f66ebc4d4f91fdd9e2084e6b60a2f_arm64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Low
A flaw was found in Keycloak. In Keycloak where a user can accidentally get access to another user's session if both use the same device and browser. This happens because Keycloak sometimes reuses session identifiers and doesn’t clean up properly during logout when browser cookies are missing. As a result, one user may receive tokens that belong to another user.
6.0 (Medium)
Affected products
Fixed
9 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHBK-26.2:rhbk/keycloak-operator-bundle@sha256:dbebd9c370278ca9745863823ea05be8026400f70ada7650d65ef381841bfc5b_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:56c72c8a7c8fc6dc429272f50d1ca7d2c1f3c20819f86c314ecd16df7067f348_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:57d64e64c4b64a802faf366d4e156d01b04c2fbb3d866b123ac4c2f82968a46f_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:b9525ea17de357c938972cc8c6cf78ba1fc1902901e1759908e9fcb2c0e72aed_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:d7602888e037d4d5bba73f896e4537721130464ef82406c31a445701f015f93b_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:31618f217a7d9a08945106f507dd0ca02b3850d183c4915311203423204a4c03_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:527c210541d8669a7b08029be54f411512f14fe887d92569801e8801f8c001f5_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:8c52f172dd64c5d4a4078a3d9af16612151607332eea832c6ded4600d71c68ca_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:c9da93981df5435ded6a22b5a36876c4a10f66ebc4d4f91fdd9e2084e6b60a2f_arm64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in the Keycloak LDAP User Federation provider. This vulnerability allows an authenticated realm administrator to trigger deserialization of untrusted Java objects via a malicious LDAP server configuration.
5.5 (Medium)
Affected products
Fixed
9 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHBK-26.2:rhbk/keycloak-operator-bundle@sha256:dbebd9c370278ca9745863823ea05be8026400f70ada7650d65ef381841bfc5b_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:56c72c8a7c8fc6dc429272f50d1ca7d2c1f3c20819f86c314ecd16df7067f348_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:57d64e64c4b64a802faf366d4e156d01b04c2fbb3d866b123ac4c2f82968a46f_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:b9525ea17de357c938972cc8c6cf78ba1fc1902901e1759908e9fcb2c0e72aed_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:d7602888e037d4d5bba73f896e4537721130464ef82406c31a445701f015f93b_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:31618f217a7d9a08945106f507dd0ca02b3850d183c4915311203423204a4c03_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:527c210541d8669a7b08029be54f411512f14fe887d92569801e8801f8c001f5_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:8c52f172dd64c5d4a4078a3d9af16612151607332eea832c6ded4600d71c68ca_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:c9da93981df5435ded6a22b5a36876c4a10f66ebc4d4f91fdd9e2084e6b60a2f_arm64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
References
31 references
Acknowledgments
Red Hat
Alexander Schwartz
cnlab
Stefan Kunz
CTS EVENTIM Solutions GmbH
Simon Levermann
YWH
Icare & truff
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "New images are available for Red Hat build of Keycloak 26.2.11 and Red Hat build of Keycloak 26.2.11 Operator, running on OpenShift Container Platform",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat build of Keycloak is an integrated sign-on solution, available as a Red Hat JBoss Middleware for OpenShift containerized image. The Red Hat build of Keycloak for OpenShift image provides an authentication server that you can use to log in centrally, log out, and register. You can also manage user accounts for web applications, mobile applications, and RESTful web services.\nRed Hat build of Keycloak Operator for OpenShift simplifies deployment and management of Keycloak 26.2.11 clusters.\nThis erratum releases new images for Red Hat build of Keycloak 26.2.11 for use within the OpenShift Container Platform cloud computing Platform-as-a-Service (PaaS) for on-premise or private cloud deployments, aligning with the standalone product release.\n\nSecurity fixes:\n* Deserialization of Untrusted Data in LDAP User Federation (CVE-2025-13467)",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2025:22088",
"url": "https://access.redhat.com/errata/RHSA-2025:22088"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_22088.json"
}
],
"title": "Red Hat Security Advisory: Red Hat build of Keycloak 26.2.11 Images Security Update",
"tracking": {
"current_release_date": "2026-03-18T03:12:03+00:00",
"generator": {
"date": "2026-03-18T03:12:03+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.7.3"
}
},
"id": "RHSA-2025:22088",
"initial_release_date": "2025-11-25T16:12:38+00:00",
"revision_history": [
{
"date": "2025-11-25T16:12:38+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2025-11-25T16:12:38+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-03-18T03:12:03+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat build of Keycloak 26.2",
"product": {
"name": "Red Hat build of Keycloak 26.2",
"product_id": "9Base-RHBK-26.2",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:build_keycloak:26.2::el9"
}
}
}
],
"category": "product_family",
"name": "Red Hat build of Keycloak"
},
{
"branches": [
{
"category": "product_version",
"name": "rhbk/keycloak-rhel9@sha256:527c210541d8669a7b08029be54f411512f14fe887d92569801e8801f8c001f5_amd64",
"product": {
"name": "rhbk/keycloak-rhel9@sha256:527c210541d8669a7b08029be54f411512f14fe887d92569801e8801f8c001f5_amd64",
"product_id": "rhbk/keycloak-rhel9@sha256:527c210541d8669a7b08029be54f411512f14fe887d92569801e8801f8c001f5_amd64",
"product_identification_helper": {
"purl": "pkg:oci/keycloak-rhel9@sha256:527c210541d8669a7b08029be54f411512f14fe887d92569801e8801f8c001f5?arch=amd64\u0026repository_url=registry.redhat.io/rhbk/keycloak-rhel9\u0026tag=26.2-12"
}
}
},
{
"category": "product_version",
"name": "rhbk/keycloak-operator-bundle@sha256:dbebd9c370278ca9745863823ea05be8026400f70ada7650d65ef381841bfc5b_amd64",
"product": {
"name": "rhbk/keycloak-operator-bundle@sha256:dbebd9c370278ca9745863823ea05be8026400f70ada7650d65ef381841bfc5b_amd64",
"product_id": "rhbk/keycloak-operator-bundle@sha256:dbebd9c370278ca9745863823ea05be8026400f70ada7650d65ef381841bfc5b_amd64",
"product_identification_helper": {
"purl": "pkg:oci/keycloak-operator-bundle@sha256:dbebd9c370278ca9745863823ea05be8026400f70ada7650d65ef381841bfc5b?arch=amd64\u0026repository_url=registry.redhat.io/rhbk/keycloak-operator-bundle\u0026tag=26.2.11-1"
}
}
},
{
"category": "product_version",
"name": "rhbk/keycloak-rhel9-operator@sha256:b9525ea17de357c938972cc8c6cf78ba1fc1902901e1759908e9fcb2c0e72aed_amd64",
"product": {
"name": "rhbk/keycloak-rhel9-operator@sha256:b9525ea17de357c938972cc8c6cf78ba1fc1902901e1759908e9fcb2c0e72aed_amd64",
"product_id": "rhbk/keycloak-rhel9-operator@sha256:b9525ea17de357c938972cc8c6cf78ba1fc1902901e1759908e9fcb2c0e72aed_amd64",
"product_identification_helper": {
"purl": "pkg:oci/keycloak-rhel9-operator@sha256:b9525ea17de357c938972cc8c6cf78ba1fc1902901e1759908e9fcb2c0e72aed?arch=amd64\u0026repository_url=registry.redhat.io/rhbk/keycloak-rhel9-operator\u0026tag=26.2-12"
}
}
}
],
"category": "architecture",
"name": "amd64"
},
{
"branches": [
{
"category": "product_version",
"name": "rhbk/keycloak-rhel9@sha256:8c52f172dd64c5d4a4078a3d9af16612151607332eea832c6ded4600d71c68ca_ppc64le",
"product": {
"name": "rhbk/keycloak-rhel9@sha256:8c52f172dd64c5d4a4078a3d9af16612151607332eea832c6ded4600d71c68ca_ppc64le",
"product_id": "rhbk/keycloak-rhel9@sha256:8c52f172dd64c5d4a4078a3d9af16612151607332eea832c6ded4600d71c68ca_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/keycloak-rhel9@sha256:8c52f172dd64c5d4a4078a3d9af16612151607332eea832c6ded4600d71c68ca?arch=ppc64le\u0026repository_url=registry.redhat.io/rhbk/keycloak-rhel9\u0026tag=26.2-12"
}
}
},
{
"category": "product_version",
"name": "rhbk/keycloak-rhel9-operator@sha256:d7602888e037d4d5bba73f896e4537721130464ef82406c31a445701f015f93b_ppc64le",
"product": {
"name": "rhbk/keycloak-rhel9-operator@sha256:d7602888e037d4d5bba73f896e4537721130464ef82406c31a445701f015f93b_ppc64le",
"product_id": "rhbk/keycloak-rhel9-operator@sha256:d7602888e037d4d5bba73f896e4537721130464ef82406c31a445701f015f93b_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/keycloak-rhel9-operator@sha256:d7602888e037d4d5bba73f896e4537721130464ef82406c31a445701f015f93b?arch=ppc64le\u0026repository_url=registry.redhat.io/rhbk/keycloak-rhel9-operator\u0026tag=26.2-12"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "rhbk/keycloak-rhel9@sha256:31618f217a7d9a08945106f507dd0ca02b3850d183c4915311203423204a4c03_s390x",
"product": {
"name": "rhbk/keycloak-rhel9@sha256:31618f217a7d9a08945106f507dd0ca02b3850d183c4915311203423204a4c03_s390x",
"product_id": "rhbk/keycloak-rhel9@sha256:31618f217a7d9a08945106f507dd0ca02b3850d183c4915311203423204a4c03_s390x",
"product_identification_helper": {
"purl": "pkg:oci/keycloak-rhel9@sha256:31618f217a7d9a08945106f507dd0ca02b3850d183c4915311203423204a4c03?arch=s390x\u0026repository_url=registry.redhat.io/rhbk/keycloak-rhel9\u0026tag=26.2-12"
}
}
},
{
"category": "product_version",
"name": "rhbk/keycloak-rhel9-operator@sha256:56c72c8a7c8fc6dc429272f50d1ca7d2c1f3c20819f86c314ecd16df7067f348_s390x",
"product": {
"name": "rhbk/keycloak-rhel9-operator@sha256:56c72c8a7c8fc6dc429272f50d1ca7d2c1f3c20819f86c314ecd16df7067f348_s390x",
"product_id": "rhbk/keycloak-rhel9-operator@sha256:56c72c8a7c8fc6dc429272f50d1ca7d2c1f3c20819f86c314ecd16df7067f348_s390x",
"product_identification_helper": {
"purl": "pkg:oci/keycloak-rhel9-operator@sha256:56c72c8a7c8fc6dc429272f50d1ca7d2c1f3c20819f86c314ecd16df7067f348?arch=s390x\u0026repository_url=registry.redhat.io/rhbk/keycloak-rhel9-operator\u0026tag=26.2-12"
}
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "rhbk/keycloak-rhel9@sha256:c9da93981df5435ded6a22b5a36876c4a10f66ebc4d4f91fdd9e2084e6b60a2f_arm64",
"product": {
"name": "rhbk/keycloak-rhel9@sha256:c9da93981df5435ded6a22b5a36876c4a10f66ebc4d4f91fdd9e2084e6b60a2f_arm64",
"product_id": "rhbk/keycloak-rhel9@sha256:c9da93981df5435ded6a22b5a36876c4a10f66ebc4d4f91fdd9e2084e6b60a2f_arm64",
"product_identification_helper": {
"purl": "pkg:oci/keycloak-rhel9@sha256:c9da93981df5435ded6a22b5a36876c4a10f66ebc4d4f91fdd9e2084e6b60a2f?arch=arm64\u0026repository_url=registry.redhat.io/rhbk/keycloak-rhel9\u0026tag=26.2-12"
}
}
},
{
"category": "product_version",
"name": "rhbk/keycloak-rhel9-operator@sha256:57d64e64c4b64a802faf366d4e156d01b04c2fbb3d866b123ac4c2f82968a46f_arm64",
"product": {
"name": "rhbk/keycloak-rhel9-operator@sha256:57d64e64c4b64a802faf366d4e156d01b04c2fbb3d866b123ac4c2f82968a46f_arm64",
"product_id": "rhbk/keycloak-rhel9-operator@sha256:57d64e64c4b64a802faf366d4e156d01b04c2fbb3d866b123ac4c2f82968a46f_arm64",
"product_identification_helper": {
"purl": "pkg:oci/keycloak-rhel9-operator@sha256:57d64e64c4b64a802faf366d4e156d01b04c2fbb3d866b123ac4c2f82968a46f?arch=arm64\u0026repository_url=registry.redhat.io/rhbk/keycloak-rhel9-operator\u0026tag=26.2-12"
}
}
}
],
"category": "architecture",
"name": "arm64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "rhbk/keycloak-operator-bundle@sha256:dbebd9c370278ca9745863823ea05be8026400f70ada7650d65ef381841bfc5b_amd64 as a component of Red Hat build of Keycloak 26.2",
"product_id": "9Base-RHBK-26.2:rhbk/keycloak-operator-bundle@sha256:dbebd9c370278ca9745863823ea05be8026400f70ada7650d65ef381841bfc5b_amd64"
},
"product_reference": "rhbk/keycloak-operator-bundle@sha256:dbebd9c370278ca9745863823ea05be8026400f70ada7650d65ef381841bfc5b_amd64",
"relates_to_product_reference": "9Base-RHBK-26.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhbk/keycloak-rhel9-operator@sha256:56c72c8a7c8fc6dc429272f50d1ca7d2c1f3c20819f86c314ecd16df7067f348_s390x as a component of Red Hat build of Keycloak 26.2",
"product_id": "9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:56c72c8a7c8fc6dc429272f50d1ca7d2c1f3c20819f86c314ecd16df7067f348_s390x"
},
"product_reference": "rhbk/keycloak-rhel9-operator@sha256:56c72c8a7c8fc6dc429272f50d1ca7d2c1f3c20819f86c314ecd16df7067f348_s390x",
"relates_to_product_reference": "9Base-RHBK-26.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhbk/keycloak-rhel9-operator@sha256:57d64e64c4b64a802faf366d4e156d01b04c2fbb3d866b123ac4c2f82968a46f_arm64 as a component of Red Hat build of Keycloak 26.2",
"product_id": "9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:57d64e64c4b64a802faf366d4e156d01b04c2fbb3d866b123ac4c2f82968a46f_arm64"
},
"product_reference": "rhbk/keycloak-rhel9-operator@sha256:57d64e64c4b64a802faf366d4e156d01b04c2fbb3d866b123ac4c2f82968a46f_arm64",
"relates_to_product_reference": "9Base-RHBK-26.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhbk/keycloak-rhel9-operator@sha256:b9525ea17de357c938972cc8c6cf78ba1fc1902901e1759908e9fcb2c0e72aed_amd64 as a component of Red Hat build of Keycloak 26.2",
"product_id": "9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:b9525ea17de357c938972cc8c6cf78ba1fc1902901e1759908e9fcb2c0e72aed_amd64"
},
"product_reference": "rhbk/keycloak-rhel9-operator@sha256:b9525ea17de357c938972cc8c6cf78ba1fc1902901e1759908e9fcb2c0e72aed_amd64",
"relates_to_product_reference": "9Base-RHBK-26.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhbk/keycloak-rhel9-operator@sha256:d7602888e037d4d5bba73f896e4537721130464ef82406c31a445701f015f93b_ppc64le as a component of Red Hat build of Keycloak 26.2",
"product_id": "9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:d7602888e037d4d5bba73f896e4537721130464ef82406c31a445701f015f93b_ppc64le"
},
"product_reference": "rhbk/keycloak-rhel9-operator@sha256:d7602888e037d4d5bba73f896e4537721130464ef82406c31a445701f015f93b_ppc64le",
"relates_to_product_reference": "9Base-RHBK-26.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhbk/keycloak-rhel9@sha256:31618f217a7d9a08945106f507dd0ca02b3850d183c4915311203423204a4c03_s390x as a component of Red Hat build of Keycloak 26.2",
"product_id": "9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:31618f217a7d9a08945106f507dd0ca02b3850d183c4915311203423204a4c03_s390x"
},
"product_reference": "rhbk/keycloak-rhel9@sha256:31618f217a7d9a08945106f507dd0ca02b3850d183c4915311203423204a4c03_s390x",
"relates_to_product_reference": "9Base-RHBK-26.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhbk/keycloak-rhel9@sha256:527c210541d8669a7b08029be54f411512f14fe887d92569801e8801f8c001f5_amd64 as a component of Red Hat build of Keycloak 26.2",
"product_id": "9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:527c210541d8669a7b08029be54f411512f14fe887d92569801e8801f8c001f5_amd64"
},
"product_reference": "rhbk/keycloak-rhel9@sha256:527c210541d8669a7b08029be54f411512f14fe887d92569801e8801f8c001f5_amd64",
"relates_to_product_reference": "9Base-RHBK-26.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhbk/keycloak-rhel9@sha256:8c52f172dd64c5d4a4078a3d9af16612151607332eea832c6ded4600d71c68ca_ppc64le as a component of Red Hat build of Keycloak 26.2",
"product_id": "9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:8c52f172dd64c5d4a4078a3d9af16612151607332eea832c6ded4600d71c68ca_ppc64le"
},
"product_reference": "rhbk/keycloak-rhel9@sha256:8c52f172dd64c5d4a4078a3d9af16612151607332eea832c6ded4600d71c68ca_ppc64le",
"relates_to_product_reference": "9Base-RHBK-26.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhbk/keycloak-rhel9@sha256:c9da93981df5435ded6a22b5a36876c4a10f66ebc4d4f91fdd9e2084e6b60a2f_arm64 as a component of Red Hat build of Keycloak 26.2",
"product_id": "9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:c9da93981df5435ded6a22b5a36876c4a10f66ebc4d4f91fdd9e2084e6b60a2f_arm64"
},
"product_reference": "rhbk/keycloak-rhel9@sha256:c9da93981df5435ded6a22b5a36876c4a10f66ebc4d4f91fdd9e2084e6b60a2f_arm64",
"relates_to_product_reference": "9Base-RHBK-26.2"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Alexander Schwartz"
],
"organization": "Red Hat",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2025-11429",
"cwe": {
"id": "CWE-613",
"name": "Insufficient Session Expiration"
},
"discovery_date": "2025-10-07T12:40:34.287000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2402148"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak. Keycloak does not immediately enforce the disabling of the \"Remember Me\" realm setting on existing user sessions. Sessions created while \"Remember Me\" was active retain their extended session lifetime until they expire, overriding the administrator\u0027s recent security configuration change. This is a logic flaw in session management increases the potential window for successful session hijacking or unauthorized long-term access persistence. The flaw lies in the session expiration logic relying on the session-local \"remember-me\" flag without validating the current realm-level configuration.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak-server: Too long and not settings compliant session",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHBK-26.2:rhbk/keycloak-operator-bundle@sha256:dbebd9c370278ca9745863823ea05be8026400f70ada7650d65ef381841bfc5b_amd64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:56c72c8a7c8fc6dc429272f50d1ca7d2c1f3c20819f86c314ecd16df7067f348_s390x",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:57d64e64c4b64a802faf366d4e156d01b04c2fbb3d866b123ac4c2f82968a46f_arm64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:b9525ea17de357c938972cc8c6cf78ba1fc1902901e1759908e9fcb2c0e72aed_amd64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:d7602888e037d4d5bba73f896e4537721130464ef82406c31a445701f015f93b_ppc64le",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:31618f217a7d9a08945106f507dd0ca02b3850d183c4915311203423204a4c03_s390x",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:527c210541d8669a7b08029be54f411512f14fe887d92569801e8801f8c001f5_amd64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:8c52f172dd64c5d4a4078a3d9af16612151607332eea832c6ded4600d71c68ca_ppc64le",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:c9da93981df5435ded6a22b5a36876c4a10f66ebc4d4f91fdd9e2084e6b60a2f_arm64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-11429"
},
{
"category": "external",
"summary": "RHBZ#2402148",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2402148"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-11429",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-11429"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-11429",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11429"
},
{
"category": "external",
"summary": "https://github.com/keycloak/keycloak/commit/a34094100716b7c69ae38eaed6678ab4344d0a1d",
"url": "https://github.com/keycloak/keycloak/commit/a34094100716b7c69ae38eaed6678ab4344d0a1d"
},
{
"category": "external",
"summary": "https://github.com/keycloak/keycloak/commit/bda0e2a67c8cf41d1b3d9010e6dfcddaf79bf59b",
"url": "https://github.com/keycloak/keycloak/commit/bda0e2a67c8cf41d1b3d9010e6dfcddaf79bf59b"
},
{
"category": "external",
"summary": "https://github.com/keycloak/keycloak/issues/43328",
"url": "https://github.com/keycloak/keycloak/issues/43328"
}
],
"release_date": "2025-10-07T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-11-25T16:12:38+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.",
"product_ids": [
"9Base-RHBK-26.2:rhbk/keycloak-operator-bundle@sha256:dbebd9c370278ca9745863823ea05be8026400f70ada7650d65ef381841bfc5b_amd64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:56c72c8a7c8fc6dc429272f50d1ca7d2c1f3c20819f86c314ecd16df7067f348_s390x",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:57d64e64c4b64a802faf366d4e156d01b04c2fbb3d866b123ac4c2f82968a46f_arm64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:b9525ea17de357c938972cc8c6cf78ba1fc1902901e1759908e9fcb2c0e72aed_amd64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:d7602888e037d4d5bba73f896e4537721130464ef82406c31a445701f015f93b_ppc64le",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:31618f217a7d9a08945106f507dd0ca02b3850d183c4915311203423204a4c03_s390x",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:527c210541d8669a7b08029be54f411512f14fe887d92569801e8801f8c001f5_amd64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:8c52f172dd64c5d4a4078a3d9af16612151607332eea832c6ded4600d71c68ca_ppc64le",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:c9da93981df5435ded6a22b5a36876c4a10f66ebc4d4f91fdd9e2084e6b60a2f_arm64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:22088"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"9Base-RHBK-26.2:rhbk/keycloak-operator-bundle@sha256:dbebd9c370278ca9745863823ea05be8026400f70ada7650d65ef381841bfc5b_amd64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:56c72c8a7c8fc6dc429272f50d1ca7d2c1f3c20819f86c314ecd16df7067f348_s390x",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:57d64e64c4b64a802faf366d4e156d01b04c2fbb3d866b123ac4c2f82968a46f_arm64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:b9525ea17de357c938972cc8c6cf78ba1fc1902901e1759908e9fcb2c0e72aed_amd64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:d7602888e037d4d5bba73f896e4537721130464ef82406c31a445701f015f93b_ppc64le",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:31618f217a7d9a08945106f507dd0ca02b3850d183c4915311203423204a4c03_s390x",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:527c210541d8669a7b08029be54f411512f14fe887d92569801e8801f8c001f5_amd64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:8c52f172dd64c5d4a4078a3d9af16612151607332eea832c6ded4600d71c68ca_ppc64le",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:c9da93981df5435ded6a22b5a36876c4a10f66ebc4d4f91fdd9e2084e6b60a2f_arm64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"9Base-RHBK-26.2:rhbk/keycloak-operator-bundle@sha256:dbebd9c370278ca9745863823ea05be8026400f70ada7650d65ef381841bfc5b_amd64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:56c72c8a7c8fc6dc429272f50d1ca7d2c1f3c20819f86c314ecd16df7067f348_s390x",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:57d64e64c4b64a802faf366d4e156d01b04c2fbb3d866b123ac4c2f82968a46f_arm64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:b9525ea17de357c938972cc8c6cf78ba1fc1902901e1759908e9fcb2c0e72aed_amd64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:d7602888e037d4d5bba73f896e4537721130464ef82406c31a445701f015f93b_ppc64le",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:31618f217a7d9a08945106f507dd0ca02b3850d183c4915311203423204a4c03_s390x",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:527c210541d8669a7b08029be54f411512f14fe887d92569801e8801f8c001f5_amd64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:8c52f172dd64c5d4a4078a3d9af16612151607332eea832c6ded4600d71c68ca_ppc64le",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:c9da93981df5435ded6a22b5a36876c4a10f66ebc4d4f91fdd9e2084e6b60a2f_arm64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak-server: Too long and not settings compliant session"
},
{
"cve": "CVE-2025-12110",
"cwe": {
"id": "CWE-613",
"name": "Insufficient Session Expiration"
},
"discovery_date": "2025-10-23T13:59:13.455000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2406033"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak. An offline session continues to be valid when the offline_access scope is removed from the client. The refresh token is accepted and you can continue to request new tokens for the session. As it can lead to a situation where an administrator removes the scope, and assumes that offline sessions are no longer available, but they are.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: org.keycloak:keycloak-services: User can refresh offline session even after client\u0027s offline_access scope was removed",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHBK-26.2:rhbk/keycloak-operator-bundle@sha256:dbebd9c370278ca9745863823ea05be8026400f70ada7650d65ef381841bfc5b_amd64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:56c72c8a7c8fc6dc429272f50d1ca7d2c1f3c20819f86c314ecd16df7067f348_s390x",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:57d64e64c4b64a802faf366d4e156d01b04c2fbb3d866b123ac4c2f82968a46f_arm64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:b9525ea17de357c938972cc8c6cf78ba1fc1902901e1759908e9fcb2c0e72aed_amd64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:d7602888e037d4d5bba73f896e4537721130464ef82406c31a445701f015f93b_ppc64le",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:31618f217a7d9a08945106f507dd0ca02b3850d183c4915311203423204a4c03_s390x",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:527c210541d8669a7b08029be54f411512f14fe887d92569801e8801f8c001f5_amd64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:8c52f172dd64c5d4a4078a3d9af16612151607332eea832c6ded4600d71c68ca_ppc64le",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:c9da93981df5435ded6a22b5a36876c4a10f66ebc4d4f91fdd9e2084e6b60a2f_arm64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-12110"
},
{
"category": "external",
"summary": "RHBZ#2406033",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2406033"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-12110",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-12110"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-12110",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12110"
},
{
"category": "external",
"summary": "https://github.com/keycloak/keycloak/pull/43790",
"url": "https://github.com/keycloak/keycloak/pull/43790"
}
],
"release_date": "2025-10-23T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-11-25T16:12:38+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.",
"product_ids": [
"9Base-RHBK-26.2:rhbk/keycloak-operator-bundle@sha256:dbebd9c370278ca9745863823ea05be8026400f70ada7650d65ef381841bfc5b_amd64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:56c72c8a7c8fc6dc429272f50d1ca7d2c1f3c20819f86c314ecd16df7067f348_s390x",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:57d64e64c4b64a802faf366d4e156d01b04c2fbb3d866b123ac4c2f82968a46f_arm64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:b9525ea17de357c938972cc8c6cf78ba1fc1902901e1759908e9fcb2c0e72aed_amd64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:d7602888e037d4d5bba73f896e4537721130464ef82406c31a445701f015f93b_ppc64le",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:31618f217a7d9a08945106f507dd0ca02b3850d183c4915311203423204a4c03_s390x",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:527c210541d8669a7b08029be54f411512f14fe887d92569801e8801f8c001f5_amd64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:8c52f172dd64c5d4a4078a3d9af16612151607332eea832c6ded4600d71c68ca_ppc64le",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:c9da93981df5435ded6a22b5a36876c4a10f66ebc4d4f91fdd9e2084e6b60a2f_arm64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:22088"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"9Base-RHBK-26.2:rhbk/keycloak-operator-bundle@sha256:dbebd9c370278ca9745863823ea05be8026400f70ada7650d65ef381841bfc5b_amd64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:56c72c8a7c8fc6dc429272f50d1ca7d2c1f3c20819f86c314ecd16df7067f348_s390x",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:57d64e64c4b64a802faf366d4e156d01b04c2fbb3d866b123ac4c2f82968a46f_arm64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:b9525ea17de357c938972cc8c6cf78ba1fc1902901e1759908e9fcb2c0e72aed_amd64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:d7602888e037d4d5bba73f896e4537721130464ef82406c31a445701f015f93b_ppc64le",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:31618f217a7d9a08945106f507dd0ca02b3850d183c4915311203423204a4c03_s390x",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:527c210541d8669a7b08029be54f411512f14fe887d92569801e8801f8c001f5_amd64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:8c52f172dd64c5d4a4078a3d9af16612151607332eea832c6ded4600d71c68ca_ppc64le",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:c9da93981df5435ded6a22b5a36876c4a10f66ebc4d4f91fdd9e2084e6b60a2f_arm64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"9Base-RHBK-26.2:rhbk/keycloak-operator-bundle@sha256:dbebd9c370278ca9745863823ea05be8026400f70ada7650d65ef381841bfc5b_amd64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:56c72c8a7c8fc6dc429272f50d1ca7d2c1f3c20819f86c314ecd16df7067f348_s390x",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:57d64e64c4b64a802faf366d4e156d01b04c2fbb3d866b123ac4c2f82968a46f_arm64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:b9525ea17de357c938972cc8c6cf78ba1fc1902901e1759908e9fcb2c0e72aed_amd64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:d7602888e037d4d5bba73f896e4537721130464ef82406c31a445701f015f93b_ppc64le",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:31618f217a7d9a08945106f507dd0ca02b3850d183c4915311203423204a4c03_s390x",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:527c210541d8669a7b08029be54f411512f14fe887d92569801e8801f8c001f5_amd64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:8c52f172dd64c5d4a4078a3d9af16612151607332eea832c6ded4600d71c68ca_ppc64le",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:c9da93981df5435ded6a22b5a36876c4a10f66ebc4d4f91fdd9e2084e6b60a2f_arm64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: org.keycloak:keycloak-services: User can refresh offline session even after client\u0027s offline_access scope was removed"
},
{
"acknowledgments": [
{
"names": [
"Stefan Kunz"
],
"organization": "cnlab"
}
],
"cve": "CVE-2025-12150",
"cwe": {
"id": "CWE-347",
"name": "Improper Verification of Cryptographic Signature"
},
"discovery_date": "2025-10-24T11:25:25.758000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2406192"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak\u2019s WebAuthn registration component. This vulnerability allows an attacker to bypass the configured attestation policy and register untrusted or forged authenticators via submission of an attestation object with fmt: \"none\", even when the realm is configured to require direct attestation. This can lead to weakened authentication integrity and unauthorized authenticator registration.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "org.keycloak/keycloak-services: WebAuthn Attestation Statement Verification Bypass",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This issue was rated Low. The vulnerability requires user interaction to manipulate the WebAuthn registration process, has high attack complexity, and limited impact, affecting only policy enforcement within the Keycloak instance. Exploitation does not compromise confidentiality or availability, and the attacker cannot bypass attestation restrictions without either intercepting the registration flow or using a rogue authenticator under user control.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHBK-26.2:rhbk/keycloak-operator-bundle@sha256:dbebd9c370278ca9745863823ea05be8026400f70ada7650d65ef381841bfc5b_amd64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:56c72c8a7c8fc6dc429272f50d1ca7d2c1f3c20819f86c314ecd16df7067f348_s390x",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:57d64e64c4b64a802faf366d4e156d01b04c2fbb3d866b123ac4c2f82968a46f_arm64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:b9525ea17de357c938972cc8c6cf78ba1fc1902901e1759908e9fcb2c0e72aed_amd64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:d7602888e037d4d5bba73f896e4537721130464ef82406c31a445701f015f93b_ppc64le",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:31618f217a7d9a08945106f507dd0ca02b3850d183c4915311203423204a4c03_s390x",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:527c210541d8669a7b08029be54f411512f14fe887d92569801e8801f8c001f5_amd64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:8c52f172dd64c5d4a4078a3d9af16612151607332eea832c6ded4600d71c68ca_ppc64le",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:c9da93981df5435ded6a22b5a36876c4a10f66ebc4d4f91fdd9e2084e6b60a2f_arm64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-12150"
},
{
"category": "external",
"summary": "RHBZ#2406192",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2406192"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-12150",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-12150"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-12150",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12150"
},
{
"category": "external",
"summary": "https://github.com/keycloak/keycloak/issues/43723",
"url": "https://github.com/keycloak/keycloak/issues/43723"
}
],
"release_date": "2025-10-28T15:04:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-11-25T16:12:38+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.",
"product_ids": [
"9Base-RHBK-26.2:rhbk/keycloak-operator-bundle@sha256:dbebd9c370278ca9745863823ea05be8026400f70ada7650d65ef381841bfc5b_amd64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:56c72c8a7c8fc6dc429272f50d1ca7d2c1f3c20819f86c314ecd16df7067f348_s390x",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:57d64e64c4b64a802faf366d4e156d01b04c2fbb3d866b123ac4c2f82968a46f_arm64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:b9525ea17de357c938972cc8c6cf78ba1fc1902901e1759908e9fcb2c0e72aed_amd64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:d7602888e037d4d5bba73f896e4537721130464ef82406c31a445701f015f93b_ppc64le",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:31618f217a7d9a08945106f507dd0ca02b3850d183c4915311203423204a4c03_s390x",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:527c210541d8669a7b08029be54f411512f14fe887d92569801e8801f8c001f5_amd64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:8c52f172dd64c5d4a4078a3d9af16612151607332eea832c6ded4600d71c68ca_ppc64le",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:c9da93981df5435ded6a22b5a36876c4a10f66ebc4d4f91fdd9e2084e6b60a2f_arm64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:22088"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"9Base-RHBK-26.2:rhbk/keycloak-operator-bundle@sha256:dbebd9c370278ca9745863823ea05be8026400f70ada7650d65ef381841bfc5b_amd64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:56c72c8a7c8fc6dc429272f50d1ca7d2c1f3c20819f86c314ecd16df7067f348_s390x",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:57d64e64c4b64a802faf366d4e156d01b04c2fbb3d866b123ac4c2f82968a46f_arm64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:b9525ea17de357c938972cc8c6cf78ba1fc1902901e1759908e9fcb2c0e72aed_amd64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:d7602888e037d4d5bba73f896e4537721130464ef82406c31a445701f015f93b_ppc64le",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:31618f217a7d9a08945106f507dd0ca02b3850d183c4915311203423204a4c03_s390x",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:527c210541d8669a7b08029be54f411512f14fe887d92569801e8801f8c001f5_amd64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:8c52f172dd64c5d4a4078a3d9af16612151607332eea832c6ded4600d71c68ca_ppc64le",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:c9da93981df5435ded6a22b5a36876c4a10f66ebc4d4f91fdd9e2084e6b60a2f_arm64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"9Base-RHBK-26.2:rhbk/keycloak-operator-bundle@sha256:dbebd9c370278ca9745863823ea05be8026400f70ada7650d65ef381841bfc5b_amd64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:56c72c8a7c8fc6dc429272f50d1ca7d2c1f3c20819f86c314ecd16df7067f348_s390x",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:57d64e64c4b64a802faf366d4e156d01b04c2fbb3d866b123ac4c2f82968a46f_arm64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:b9525ea17de357c938972cc8c6cf78ba1fc1902901e1759908e9fcb2c0e72aed_amd64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:d7602888e037d4d5bba73f896e4537721130464ef82406c31a445701f015f93b_ppc64le",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:31618f217a7d9a08945106f507dd0ca02b3850d183c4915311203423204a4c03_s390x",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:527c210541d8669a7b08029be54f411512f14fe887d92569801e8801f8c001f5_amd64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:8c52f172dd64c5d4a4078a3d9af16612151607332eea832c6ded4600d71c68ca_ppc64le",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:c9da93981df5435ded6a22b5a36876c4a10f66ebc4d4f91fdd9e2084e6b60a2f_arm64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "org.keycloak/keycloak-services: WebAuthn Attestation Statement Verification Bypass"
},
{
"acknowledgments": [
{
"names": [
"Simon Levermann"
],
"organization": "CTS EVENTIM Solutions GmbH"
}
],
"cve": "CVE-2025-12390",
"cwe": {
"id": "CWE-384",
"name": "Session Fixation"
},
"discovery_date": "2025-10-28T13:12:25.841000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2406793"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak. In Keycloak where a user can accidentally get access to another user\u0027s session if both use the same device and browser. This happens because Keycloak sometimes reuses session identifiers and doesn\u2019t clean up properly during logout when browser cookies are missing. As a result, one user may receive tokens that belong to another user.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "org.keycloak.protocol.oidc.endpoints.LogoutEndpoint: Offline Session takeover due to reused Authentication Session ID",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHBK-26.2:rhbk/keycloak-operator-bundle@sha256:dbebd9c370278ca9745863823ea05be8026400f70ada7650d65ef381841bfc5b_amd64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:56c72c8a7c8fc6dc429272f50d1ca7d2c1f3c20819f86c314ecd16df7067f348_s390x",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:57d64e64c4b64a802faf366d4e156d01b04c2fbb3d866b123ac4c2f82968a46f_arm64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:b9525ea17de357c938972cc8c6cf78ba1fc1902901e1759908e9fcb2c0e72aed_amd64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:d7602888e037d4d5bba73f896e4537721130464ef82406c31a445701f015f93b_ppc64le",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:31618f217a7d9a08945106f507dd0ca02b3850d183c4915311203423204a4c03_s390x",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:527c210541d8669a7b08029be54f411512f14fe887d92569801e8801f8c001f5_amd64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:8c52f172dd64c5d4a4078a3d9af16612151607332eea832c6ded4600d71c68ca_ppc64le",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:c9da93981df5435ded6a22b5a36876c4a10f66ebc4d4f91fdd9e2084e6b60a2f_arm64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-12390"
},
{
"category": "external",
"summary": "RHBZ#2406793",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2406793"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-12390",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-12390"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-12390",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12390"
},
{
"category": "external",
"summary": "https://github.com/keycloak/keycloak/issues/43853",
"url": "https://github.com/keycloak/keycloak/issues/43853"
}
],
"release_date": "2025-10-28T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-11-25T16:12:38+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.",
"product_ids": [
"9Base-RHBK-26.2:rhbk/keycloak-operator-bundle@sha256:dbebd9c370278ca9745863823ea05be8026400f70ada7650d65ef381841bfc5b_amd64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:56c72c8a7c8fc6dc429272f50d1ca7d2c1f3c20819f86c314ecd16df7067f348_s390x",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:57d64e64c4b64a802faf366d4e156d01b04c2fbb3d866b123ac4c2f82968a46f_arm64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:b9525ea17de357c938972cc8c6cf78ba1fc1902901e1759908e9fcb2c0e72aed_amd64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:d7602888e037d4d5bba73f896e4537721130464ef82406c31a445701f015f93b_ppc64le",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:31618f217a7d9a08945106f507dd0ca02b3850d183c4915311203423204a4c03_s390x",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:527c210541d8669a7b08029be54f411512f14fe887d92569801e8801f8c001f5_amd64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:8c52f172dd64c5d4a4078a3d9af16612151607332eea832c6ded4600d71c68ca_ppc64le",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:c9da93981df5435ded6a22b5a36876c4a10f66ebc4d4f91fdd9e2084e6b60a2f_arm64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:22088"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"9Base-RHBK-26.2:rhbk/keycloak-operator-bundle@sha256:dbebd9c370278ca9745863823ea05be8026400f70ada7650d65ef381841bfc5b_amd64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:56c72c8a7c8fc6dc429272f50d1ca7d2c1f3c20819f86c314ecd16df7067f348_s390x",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:57d64e64c4b64a802faf366d4e156d01b04c2fbb3d866b123ac4c2f82968a46f_arm64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:b9525ea17de357c938972cc8c6cf78ba1fc1902901e1759908e9fcb2c0e72aed_amd64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:d7602888e037d4d5bba73f896e4537721130464ef82406c31a445701f015f93b_ppc64le",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:31618f217a7d9a08945106f507dd0ca02b3850d183c4915311203423204a4c03_s390x",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:527c210541d8669a7b08029be54f411512f14fe887d92569801e8801f8c001f5_amd64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:8c52f172dd64c5d4a4078a3d9af16612151607332eea832c6ded4600d71c68ca_ppc64le",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:c9da93981df5435ded6a22b5a36876c4a10f66ebc4d4f91fdd9e2084e6b60a2f_arm64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 6.0,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"9Base-RHBK-26.2:rhbk/keycloak-operator-bundle@sha256:dbebd9c370278ca9745863823ea05be8026400f70ada7650d65ef381841bfc5b_amd64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:56c72c8a7c8fc6dc429272f50d1ca7d2c1f3c20819f86c314ecd16df7067f348_s390x",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:57d64e64c4b64a802faf366d4e156d01b04c2fbb3d866b123ac4c2f82968a46f_arm64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:b9525ea17de357c938972cc8c6cf78ba1fc1902901e1759908e9fcb2c0e72aed_amd64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:d7602888e037d4d5bba73f896e4537721130464ef82406c31a445701f015f93b_ppc64le",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:31618f217a7d9a08945106f507dd0ca02b3850d183c4915311203423204a4c03_s390x",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:527c210541d8669a7b08029be54f411512f14fe887d92569801e8801f8c001f5_amd64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:8c52f172dd64c5d4a4078a3d9af16612151607332eea832c6ded4600d71c68ca_ppc64le",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:c9da93981df5435ded6a22b5a36876c4a10f66ebc4d4f91fdd9e2084e6b60a2f_arm64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "org.keycloak.protocol.oidc.endpoints.LogoutEndpoint: Offline Session takeover due to reused Authentication Session ID"
},
{
"acknowledgments": [
{
"names": [
"Icare \u0026 truff"
],
"organization": "YWH"
}
],
"cve": "CVE-2025-13467",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2025-11-20T03:12:47.343000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2416038"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the Keycloak LDAP User Federation provider. This vulnerability allows an authenticated realm administrator to trigger deserialization of untrusted Java objects via a malicious LDAP server configuration.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "org.keycloak.storage.ldap: Keycloak: Deserialization of Untrusted Data in LDAP User Federation",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHBK-26.2:rhbk/keycloak-operator-bundle@sha256:dbebd9c370278ca9745863823ea05be8026400f70ada7650d65ef381841bfc5b_amd64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:56c72c8a7c8fc6dc429272f50d1ca7d2c1f3c20819f86c314ecd16df7067f348_s390x",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:57d64e64c4b64a802faf366d4e156d01b04c2fbb3d866b123ac4c2f82968a46f_arm64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:b9525ea17de357c938972cc8c6cf78ba1fc1902901e1759908e9fcb2c0e72aed_amd64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:d7602888e037d4d5bba73f896e4537721130464ef82406c31a445701f015f93b_ppc64le",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:31618f217a7d9a08945106f507dd0ca02b3850d183c4915311203423204a4c03_s390x",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:527c210541d8669a7b08029be54f411512f14fe887d92569801e8801f8c001f5_amd64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:8c52f172dd64c5d4a4078a3d9af16612151607332eea832c6ded4600d71c68ca_ppc64le",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:c9da93981df5435ded6a22b5a36876c4a10f66ebc4d4f91fdd9e2084e6b60a2f_arm64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-13467"
},
{
"category": "external",
"summary": "RHBZ#2416038",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2416038"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-13467",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-13467"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-13467",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13467"
},
{
"category": "external",
"summary": "https://github.com/keycloak/keycloak/commit/754c070cf8ca187dcc71f0f72ff3130ff2195328",
"url": "https://github.com/keycloak/keycloak/commit/754c070cf8ca187dcc71f0f72ff3130ff2195328"
},
{
"category": "external",
"summary": "https://github.com/keycloak/keycloak/issues/44478",
"url": "https://github.com/keycloak/keycloak/issues/44478"
}
],
"release_date": "2025-11-25T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-11-25T16:12:38+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.",
"product_ids": [
"9Base-RHBK-26.2:rhbk/keycloak-operator-bundle@sha256:dbebd9c370278ca9745863823ea05be8026400f70ada7650d65ef381841bfc5b_amd64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:56c72c8a7c8fc6dc429272f50d1ca7d2c1f3c20819f86c314ecd16df7067f348_s390x",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:57d64e64c4b64a802faf366d4e156d01b04c2fbb3d866b123ac4c2f82968a46f_arm64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:b9525ea17de357c938972cc8c6cf78ba1fc1902901e1759908e9fcb2c0e72aed_amd64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:d7602888e037d4d5bba73f896e4537721130464ef82406c31a445701f015f93b_ppc64le",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:31618f217a7d9a08945106f507dd0ca02b3850d183c4915311203423204a4c03_s390x",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:527c210541d8669a7b08029be54f411512f14fe887d92569801e8801f8c001f5_amd64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:8c52f172dd64c5d4a4078a3d9af16612151607332eea832c6ded4600d71c68ca_ppc64le",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:c9da93981df5435ded6a22b5a36876c4a10f66ebc4d4f91fdd9e2084e6b60a2f_arm64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:22088"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"9Base-RHBK-26.2:rhbk/keycloak-operator-bundle@sha256:dbebd9c370278ca9745863823ea05be8026400f70ada7650d65ef381841bfc5b_amd64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:56c72c8a7c8fc6dc429272f50d1ca7d2c1f3c20819f86c314ecd16df7067f348_s390x",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:57d64e64c4b64a802faf366d4e156d01b04c2fbb3d866b123ac4c2f82968a46f_arm64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:b9525ea17de357c938972cc8c6cf78ba1fc1902901e1759908e9fcb2c0e72aed_amd64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:d7602888e037d4d5bba73f896e4537721130464ef82406c31a445701f015f93b_ppc64le",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:31618f217a7d9a08945106f507dd0ca02b3850d183c4915311203423204a4c03_s390x",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:527c210541d8669a7b08029be54f411512f14fe887d92569801e8801f8c001f5_amd64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:8c52f172dd64c5d4a4078a3d9af16612151607332eea832c6ded4600d71c68ca_ppc64le",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:c9da93981df5435ded6a22b5a36876c4a10f66ebc4d4f91fdd9e2084e6b60a2f_arm64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"9Base-RHBK-26.2:rhbk/keycloak-operator-bundle@sha256:dbebd9c370278ca9745863823ea05be8026400f70ada7650d65ef381841bfc5b_amd64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:56c72c8a7c8fc6dc429272f50d1ca7d2c1f3c20819f86c314ecd16df7067f348_s390x",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:57d64e64c4b64a802faf366d4e156d01b04c2fbb3d866b123ac4c2f82968a46f_arm64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:b9525ea17de357c938972cc8c6cf78ba1fc1902901e1759908e9fcb2c0e72aed_amd64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:d7602888e037d4d5bba73f896e4537721130464ef82406c31a445701f015f93b_ppc64le",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:31618f217a7d9a08945106f507dd0ca02b3850d183c4915311203423204a4c03_s390x",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:527c210541d8669a7b08029be54f411512f14fe887d92569801e8801f8c001f5_amd64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:8c52f172dd64c5d4a4078a3d9af16612151607332eea832c6ded4600d71c68ca_ppc64le",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:c9da93981df5435ded6a22b5a36876c4a10f66ebc4d4f91fdd9e2084e6b60a2f_arm64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "org.keycloak.storage.ldap: Keycloak: Deserialization of Untrusted Data in LDAP User Federation"
}
]
}
RHSA-2025:22089
Vulnerability from csaf_redhat - Published: 2025-11-25 16:06 - Updated: 2026-03-18 03:12Summary
Red Hat Security Advisory: Red Hat build of Keycloak 26.2.11 Security Update
Severity
Moderate
Notes
Topic: New Red Hat build of Keycloak 26.2.11 packages are available from the Customer Portal
Details: Red Hat build of Keycloak 26.2.11 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.
Security fixes:
* Deserialization of Untrusted Data in LDAP User Federation (CVE-2025-13467)
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in Keycloak. Keycloak does not immediately enforce the disabling of the "Remember Me" realm setting on existing user sessions. Sessions created while "Remember Me" was active retain their extended session lifetime until they expire, overriding the administrator's recent security configuration change. This is a logic flaw in session management increases the potential window for successful session hijacking or unauthorized long-term access persistence. The flaw lies in the session expiration logic relying on the session-local "remember-me" flag without validating the current realm-level configuration.
5.4 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat build of Keycloak 26.2.11
Red Hat / Red Hat build of Keycloak
|
cpe:/a:redhat:build_keycloak:26.2::el9
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in Keycloak. An offline session continues to be valid when the offline_access scope is removed from the client. The refresh token is accepted and you can continue to request new tokens for the session. As it can lead to a situation where an administrator removes the scope, and assumes that offline sessions are no longer available, but they are.
5.4 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat build of Keycloak 26.2.11
Red Hat / Red Hat build of Keycloak
|
cpe:/a:redhat:build_keycloak:26.2::el9
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in Keycloak’s WebAuthn registration component. This vulnerability allows an attacker to bypass the configured attestation policy and register untrusted or forged authenticators via submission of an attestation object with fmt: "none", even when the realm is configured to require direct attestation. This can lead to weakened authentication integrity and unauthorized authenticator registration.
CWE-347 - Improper Verification of Cryptographic SignatureAffected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat build of Keycloak 26.2.11
Red Hat / Red Hat build of Keycloak
|
cpe:/a:redhat:build_keycloak:26.2::el9
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Low
A flaw was found in Keycloak. In Keycloak where a user can accidentally get access to another user's session if both use the same device and browser. This happens because Keycloak sometimes reuses session identifiers and doesn’t clean up properly during logout when browser cookies are missing. As a result, one user may receive tokens that belong to another user.
6.0 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat build of Keycloak 26.2.11
Red Hat / Red Hat build of Keycloak
|
cpe:/a:redhat:build_keycloak:26.2::el9
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in the Keycloak LDAP User Federation provider. This vulnerability allows an authenticated realm administrator to trigger deserialization of untrusted Java objects via a malicious LDAP server configuration.
5.5 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat build of Keycloak 26.2.11
Red Hat / Red Hat build of Keycloak
|
cpe:/a:redhat:build_keycloak:26.2::el9
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
References
31 references
Acknowledgments
Red Hat
Alexander Schwartz
cnlab
Stefan Kunz
CTS EVENTIM Solutions GmbH
Simon Levermann
YWH
Icare & truff
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "New Red Hat build of Keycloak 26.2.11 packages are available from the Customer Portal",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat build of Keycloak 26.2.11 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.\n\nSecurity fixes:\n* Deserialization of Untrusted Data in LDAP User Federation (CVE-2025-13467)",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2025:22089",
"url": "https://access.redhat.com/errata/RHSA-2025:22089"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_22089.json"
}
],
"title": "Red Hat Security Advisory: Red Hat build of Keycloak 26.2.11 Security Update",
"tracking": {
"current_release_date": "2026-03-18T03:12:03+00:00",
"generator": {
"date": "2026-03-18T03:12:03+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.7.3"
}
},
"id": "RHSA-2025:22089",
"initial_release_date": "2025-11-25T16:06:13+00:00",
"revision_history": [
{
"date": "2025-11-25T16:06:13+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2025-11-25T16:06:13+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-03-18T03:12:03+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat build of Keycloak 26.2.11",
"product": {
"name": "Red Hat build of Keycloak 26.2.11",
"product_id": "Red Hat build of Keycloak 26.2.11",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:build_keycloak:26.2::el9"
}
}
}
],
"category": "product_family",
"name": "Red Hat build of Keycloak"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Alexander Schwartz"
],
"organization": "Red Hat",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2025-11429",
"cwe": {
"id": "CWE-613",
"name": "Insufficient Session Expiration"
},
"discovery_date": "2025-10-07T12:40:34.287000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2402148"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak. Keycloak does not immediately enforce the disabling of the \"Remember Me\" realm setting on existing user sessions. Sessions created while \"Remember Me\" was active retain their extended session lifetime until they expire, overriding the administrator\u0027s recent security configuration change. This is a logic flaw in session management increases the potential window for successful session hijacking or unauthorized long-term access persistence. The flaw lies in the session expiration logic relying on the session-local \"remember-me\" flag without validating the current realm-level configuration.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak-server: Too long and not settings compliant session",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Keycloak 26.2.11"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-11429"
},
{
"category": "external",
"summary": "RHBZ#2402148",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2402148"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-11429",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-11429"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-11429",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11429"
},
{
"category": "external",
"summary": "https://github.com/keycloak/keycloak/commit/a34094100716b7c69ae38eaed6678ab4344d0a1d",
"url": "https://github.com/keycloak/keycloak/commit/a34094100716b7c69ae38eaed6678ab4344d0a1d"
},
{
"category": "external",
"summary": "https://github.com/keycloak/keycloak/commit/bda0e2a67c8cf41d1b3d9010e6dfcddaf79bf59b",
"url": "https://github.com/keycloak/keycloak/commit/bda0e2a67c8cf41d1b3d9010e6dfcddaf79bf59b"
},
{
"category": "external",
"summary": "https://github.com/keycloak/keycloak/issues/43328",
"url": "https://github.com/keycloak/keycloak/issues/43328"
}
],
"release_date": "2025-10-07T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-11-25T16:06:13+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.",
"product_ids": [
"Red Hat build of Keycloak 26.2.11"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:22089"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat build of Keycloak 26.2.11"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"Red Hat build of Keycloak 26.2.11"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak-server: Too long and not settings compliant session"
},
{
"cve": "CVE-2025-12110",
"cwe": {
"id": "CWE-613",
"name": "Insufficient Session Expiration"
},
"discovery_date": "2025-10-23T13:59:13.455000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2406033"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak. An offline session continues to be valid when the offline_access scope is removed from the client. The refresh token is accepted and you can continue to request new tokens for the session. As it can lead to a situation where an administrator removes the scope, and assumes that offline sessions are no longer available, but they are.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: org.keycloak:keycloak-services: User can refresh offline session even after client\u0027s offline_access scope was removed",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Keycloak 26.2.11"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-12110"
},
{
"category": "external",
"summary": "RHBZ#2406033",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2406033"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-12110",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-12110"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-12110",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12110"
},
{
"category": "external",
"summary": "https://github.com/keycloak/keycloak/pull/43790",
"url": "https://github.com/keycloak/keycloak/pull/43790"
}
],
"release_date": "2025-10-23T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-11-25T16:06:13+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.",
"product_ids": [
"Red Hat build of Keycloak 26.2.11"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:22089"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat build of Keycloak 26.2.11"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"Red Hat build of Keycloak 26.2.11"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: org.keycloak:keycloak-services: User can refresh offline session even after client\u0027s offline_access scope was removed"
},
{
"acknowledgments": [
{
"names": [
"Stefan Kunz"
],
"organization": "cnlab"
}
],
"cve": "CVE-2025-12150",
"cwe": {
"id": "CWE-347",
"name": "Improper Verification of Cryptographic Signature"
},
"discovery_date": "2025-10-24T11:25:25.758000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2406192"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak\u2019s WebAuthn registration component. This vulnerability allows an attacker to bypass the configured attestation policy and register untrusted or forged authenticators via submission of an attestation object with fmt: \"none\", even when the realm is configured to require direct attestation. This can lead to weakened authentication integrity and unauthorized authenticator registration.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "org.keycloak/keycloak-services: WebAuthn Attestation Statement Verification Bypass",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This issue was rated Low. The vulnerability requires user interaction to manipulate the WebAuthn registration process, has high attack complexity, and limited impact, affecting only policy enforcement within the Keycloak instance. Exploitation does not compromise confidentiality or availability, and the attacker cannot bypass attestation restrictions without either intercepting the registration flow or using a rogue authenticator under user control.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Keycloak 26.2.11"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-12150"
},
{
"category": "external",
"summary": "RHBZ#2406192",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2406192"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-12150",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-12150"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-12150",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12150"
},
{
"category": "external",
"summary": "https://github.com/keycloak/keycloak/issues/43723",
"url": "https://github.com/keycloak/keycloak/issues/43723"
}
],
"release_date": "2025-10-28T15:04:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-11-25T16:06:13+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.",
"product_ids": [
"Red Hat build of Keycloak 26.2.11"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:22089"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat build of Keycloak 26.2.11"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"Red Hat build of Keycloak 26.2.11"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "org.keycloak/keycloak-services: WebAuthn Attestation Statement Verification Bypass"
},
{
"acknowledgments": [
{
"names": [
"Simon Levermann"
],
"organization": "CTS EVENTIM Solutions GmbH"
}
],
"cve": "CVE-2025-12390",
"cwe": {
"id": "CWE-384",
"name": "Session Fixation"
},
"discovery_date": "2025-10-28T13:12:25.841000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2406793"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak. In Keycloak where a user can accidentally get access to another user\u0027s session if both use the same device and browser. This happens because Keycloak sometimes reuses session identifiers and doesn\u2019t clean up properly during logout when browser cookies are missing. As a result, one user may receive tokens that belong to another user.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "org.keycloak.protocol.oidc.endpoints.LogoutEndpoint: Offline Session takeover due to reused Authentication Session ID",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Keycloak 26.2.11"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-12390"
},
{
"category": "external",
"summary": "RHBZ#2406793",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2406793"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-12390",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-12390"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-12390",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12390"
},
{
"category": "external",
"summary": "https://github.com/keycloak/keycloak/issues/43853",
"url": "https://github.com/keycloak/keycloak/issues/43853"
}
],
"release_date": "2025-10-28T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-11-25T16:06:13+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.",
"product_ids": [
"Red Hat build of Keycloak 26.2.11"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:22089"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat build of Keycloak 26.2.11"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 6.0,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat build of Keycloak 26.2.11"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "org.keycloak.protocol.oidc.endpoints.LogoutEndpoint: Offline Session takeover due to reused Authentication Session ID"
},
{
"acknowledgments": [
{
"names": [
"Icare \u0026 truff"
],
"organization": "YWH"
}
],
"cve": "CVE-2025-13467",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2025-11-20T03:12:47.343000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2416038"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the Keycloak LDAP User Federation provider. This vulnerability allows an authenticated realm administrator to trigger deserialization of untrusted Java objects via a malicious LDAP server configuration.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "org.keycloak.storage.ldap: Keycloak: Deserialization of Untrusted Data in LDAP User Federation",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Keycloak 26.2.11"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-13467"
},
{
"category": "external",
"summary": "RHBZ#2416038",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2416038"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-13467",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-13467"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-13467",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13467"
},
{
"category": "external",
"summary": "https://github.com/keycloak/keycloak/commit/754c070cf8ca187dcc71f0f72ff3130ff2195328",
"url": "https://github.com/keycloak/keycloak/commit/754c070cf8ca187dcc71f0f72ff3130ff2195328"
},
{
"category": "external",
"summary": "https://github.com/keycloak/keycloak/issues/44478",
"url": "https://github.com/keycloak/keycloak/issues/44478"
}
],
"release_date": "2025-11-25T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-11-25T16:06:13+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.",
"product_ids": [
"Red Hat build of Keycloak 26.2.11"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:22089"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat build of Keycloak 26.2.11"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"Red Hat build of Keycloak 26.2.11"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "org.keycloak.storage.ldap: Keycloak: Deserialization of Untrusted Data in LDAP User Federation"
}
]
}
RHSA-2025:22090
Vulnerability from csaf_redhat - Published: 2025-11-25 16:24 - Updated: 2026-03-18 03:12Summary
Red Hat Security Advisory: Red Hat build of Keycloak 26.4.6 Images Security Update
Severity
Moderate
Notes
Topic: New images are available for Red Hat build of Keycloak 26.4.6 and Red Hat build of Keycloak 26.4.6 Operator, running on OpenShift Container Platform
Details: Red Hat build of Keycloak is an integrated sign-on solution, available as a Red Hat JBoss Middleware for OpenShift containerized image. The Red Hat build of Keycloak for OpenShift image provides an authentication server that you can use to log in centrally, log out, and register. You can also manage user accounts for web applications, mobile applications, and RESTful web services.
Red Hat build of Keycloak Operator for OpenShift simplifies deployment and management of Keycloak 26.4.6 clusters.
This erratum releases new images for Red Hat build of Keycloak 26.4.6 for use within the OpenShift Container Platform cloud computing Platform-as-a-Service (PaaS) for on-premise or private cloud deployments, aligning with the standalone product release.
Security fixes:
* Deserialization of Untrusted Data in LDAP User Federation (CVE-2025-13467)
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in the Keycloak LDAP User Federation provider. This vulnerability allows an authenticated realm administrator to trigger deserialization of untrusted Java objects via a malicious LDAP server configuration.
5.5 (Medium)
Affected products
Fixed
9 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:21319807f584783e091bbd03066624d759e699e72e38f42f8e69f5d59d1ca31c_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:4a70c9fc5c12822bdc9dad06b0455d9b4ae847f080123856b8bf4f683933e60b_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:68f820e741c80a4cc1b1498531a40bfb4d2776bb52247d206e9ba698ef951930_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c0dbea4bb061452767b52b634550477237495bf48600994c5efe9a5e28766a19_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:cce8f176c7ecde1910ceeb3d814b9bf2d2d63ccbfcd5a1eb0eb83efe0d9852b2_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:4e76367ad0340f93653ccadbb0f82c96194c28951fde84d00b146f2372c949e7_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:710b71ca582a96e3617ca04d819bd2df428003a8c3fd9bc5f28aea45766809bd_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:c5d3ee80cd09b752b94f763850774b02336a8f10a9d5e3decb0d6941bae7c70c_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:f7388968b2c6662174ebb6befe25eae4d48be2c5a684a1cabc3be79e2be3827a_ppc64le | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
References
9 references
Acknowledgments
YWH
Icare & truff
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "New images are available for Red Hat build of Keycloak 26.4.6 and Red Hat build of Keycloak 26.4.6 Operator, running on OpenShift Container Platform",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat build of Keycloak is an integrated sign-on solution, available as a Red Hat JBoss Middleware for OpenShift containerized image. The Red Hat build of Keycloak for OpenShift image provides an authentication server that you can use to log in centrally, log out, and register. You can also manage user accounts for web applications, mobile applications, and RESTful web services.\nRed Hat build of Keycloak Operator for OpenShift simplifies deployment and management of Keycloak 26.4.6 clusters.\nThis erratum releases new images for Red Hat build of Keycloak 26.4.6 for use within the OpenShift Container Platform cloud computing Platform-as-a-Service (PaaS) for on-premise or private cloud deployments, aligning with the standalone product release.\n\nSecurity fixes:\n* Deserialization of Untrusted Data in LDAP User Federation (CVE-2025-13467)",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2025:22090",
"url": "https://access.redhat.com/errata/RHSA-2025:22090"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_22090.json"
}
],
"title": "Red Hat Security Advisory: Red Hat build of Keycloak 26.4.6 Images Security Update",
"tracking": {
"current_release_date": "2026-03-18T03:12:04+00:00",
"generator": {
"date": "2026-03-18T03:12:04+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.7.3"
}
},
"id": "RHSA-2025:22090",
"initial_release_date": "2025-11-25T16:24:09+00:00",
"revision_history": [
{
"date": "2025-11-25T16:24:09+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2025-11-25T16:24:09+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-03-18T03:12:04+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat build of Keycloak 26.4",
"product": {
"name": "Red Hat build of Keycloak 26.4",
"product_id": "9Base-RHBK-26.4",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:build_keycloak:26.4::el9"
}
}
}
],
"category": "product_family",
"name": "Red Hat build of Keycloak"
},
{
"branches": [
{
"category": "product_version",
"name": "rhbk/keycloak-rhel9@sha256:710b71ca582a96e3617ca04d819bd2df428003a8c3fd9bc5f28aea45766809bd_amd64",
"product": {
"name": "rhbk/keycloak-rhel9@sha256:710b71ca582a96e3617ca04d819bd2df428003a8c3fd9bc5f28aea45766809bd_amd64",
"product_id": "rhbk/keycloak-rhel9@sha256:710b71ca582a96e3617ca04d819bd2df428003a8c3fd9bc5f28aea45766809bd_amd64",
"product_identification_helper": {
"purl": "pkg:oci/keycloak-rhel9@sha256:710b71ca582a96e3617ca04d819bd2df428003a8c3fd9bc5f28aea45766809bd?arch=amd64\u0026repository_url=registry.redhat.io/rhbk/keycloak-rhel9\u0026tag=26.4-6"
}
}
},
{
"category": "product_version",
"name": "rhbk/keycloak-operator-bundle@sha256:21319807f584783e091bbd03066624d759e699e72e38f42f8e69f5d59d1ca31c_amd64",
"product": {
"name": "rhbk/keycloak-operator-bundle@sha256:21319807f584783e091bbd03066624d759e699e72e38f42f8e69f5d59d1ca31c_amd64",
"product_id": "rhbk/keycloak-operator-bundle@sha256:21319807f584783e091bbd03066624d759e699e72e38f42f8e69f5d59d1ca31c_amd64",
"product_identification_helper": {
"purl": "pkg:oci/keycloak-operator-bundle@sha256:21319807f584783e091bbd03066624d759e699e72e38f42f8e69f5d59d1ca31c?arch=amd64\u0026repository_url=registry.redhat.io/rhbk/keycloak-operator-bundle\u0026tag=26.4.6-1"
}
}
},
{
"category": "product_version",
"name": "rhbk/keycloak-rhel9-operator@sha256:c0dbea4bb061452767b52b634550477237495bf48600994c5efe9a5e28766a19_amd64",
"product": {
"name": "rhbk/keycloak-rhel9-operator@sha256:c0dbea4bb061452767b52b634550477237495bf48600994c5efe9a5e28766a19_amd64",
"product_id": "rhbk/keycloak-rhel9-operator@sha256:c0dbea4bb061452767b52b634550477237495bf48600994c5efe9a5e28766a19_amd64",
"product_identification_helper": {
"purl": "pkg:oci/keycloak-rhel9-operator@sha256:c0dbea4bb061452767b52b634550477237495bf48600994c5efe9a5e28766a19?arch=amd64\u0026repository_url=registry.redhat.io/rhbk/keycloak-rhel9-operator\u0026tag=26.4-5"
}
}
}
],
"category": "architecture",
"name": "amd64"
},
{
"branches": [
{
"category": "product_version",
"name": "rhbk/keycloak-rhel9@sha256:f7388968b2c6662174ebb6befe25eae4d48be2c5a684a1cabc3be79e2be3827a_ppc64le",
"product": {
"name": "rhbk/keycloak-rhel9@sha256:f7388968b2c6662174ebb6befe25eae4d48be2c5a684a1cabc3be79e2be3827a_ppc64le",
"product_id": "rhbk/keycloak-rhel9@sha256:f7388968b2c6662174ebb6befe25eae4d48be2c5a684a1cabc3be79e2be3827a_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/keycloak-rhel9@sha256:f7388968b2c6662174ebb6befe25eae4d48be2c5a684a1cabc3be79e2be3827a?arch=ppc64le\u0026repository_url=registry.redhat.io/rhbk/keycloak-rhel9\u0026tag=26.4-6"
}
}
},
{
"category": "product_version",
"name": "rhbk/keycloak-rhel9-operator@sha256:cce8f176c7ecde1910ceeb3d814b9bf2d2d63ccbfcd5a1eb0eb83efe0d9852b2_ppc64le",
"product": {
"name": "rhbk/keycloak-rhel9-operator@sha256:cce8f176c7ecde1910ceeb3d814b9bf2d2d63ccbfcd5a1eb0eb83efe0d9852b2_ppc64le",
"product_id": "rhbk/keycloak-rhel9-operator@sha256:cce8f176c7ecde1910ceeb3d814b9bf2d2d63ccbfcd5a1eb0eb83efe0d9852b2_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/keycloak-rhel9-operator@sha256:cce8f176c7ecde1910ceeb3d814b9bf2d2d63ccbfcd5a1eb0eb83efe0d9852b2?arch=ppc64le\u0026repository_url=registry.redhat.io/rhbk/keycloak-rhel9-operator\u0026tag=26.4-5"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "rhbk/keycloak-rhel9@sha256:4e76367ad0340f93653ccadbb0f82c96194c28951fde84d00b146f2372c949e7_s390x",
"product": {
"name": "rhbk/keycloak-rhel9@sha256:4e76367ad0340f93653ccadbb0f82c96194c28951fde84d00b146f2372c949e7_s390x",
"product_id": "rhbk/keycloak-rhel9@sha256:4e76367ad0340f93653ccadbb0f82c96194c28951fde84d00b146f2372c949e7_s390x",
"product_identification_helper": {
"purl": "pkg:oci/keycloak-rhel9@sha256:4e76367ad0340f93653ccadbb0f82c96194c28951fde84d00b146f2372c949e7?arch=s390x\u0026repository_url=registry.redhat.io/rhbk/keycloak-rhel9\u0026tag=26.4-6"
}
}
},
{
"category": "product_version",
"name": "rhbk/keycloak-rhel9-operator@sha256:4a70c9fc5c12822bdc9dad06b0455d9b4ae847f080123856b8bf4f683933e60b_s390x",
"product": {
"name": "rhbk/keycloak-rhel9-operator@sha256:4a70c9fc5c12822bdc9dad06b0455d9b4ae847f080123856b8bf4f683933e60b_s390x",
"product_id": "rhbk/keycloak-rhel9-operator@sha256:4a70c9fc5c12822bdc9dad06b0455d9b4ae847f080123856b8bf4f683933e60b_s390x",
"product_identification_helper": {
"purl": "pkg:oci/keycloak-rhel9-operator@sha256:4a70c9fc5c12822bdc9dad06b0455d9b4ae847f080123856b8bf4f683933e60b?arch=s390x\u0026repository_url=registry.redhat.io/rhbk/keycloak-rhel9-operator\u0026tag=26.4-5"
}
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "rhbk/keycloak-rhel9@sha256:c5d3ee80cd09b752b94f763850774b02336a8f10a9d5e3decb0d6941bae7c70c_arm64",
"product": {
"name": "rhbk/keycloak-rhel9@sha256:c5d3ee80cd09b752b94f763850774b02336a8f10a9d5e3decb0d6941bae7c70c_arm64",
"product_id": "rhbk/keycloak-rhel9@sha256:c5d3ee80cd09b752b94f763850774b02336a8f10a9d5e3decb0d6941bae7c70c_arm64",
"product_identification_helper": {
"purl": "pkg:oci/keycloak-rhel9@sha256:c5d3ee80cd09b752b94f763850774b02336a8f10a9d5e3decb0d6941bae7c70c?arch=arm64\u0026repository_url=registry.redhat.io/rhbk/keycloak-rhel9\u0026tag=26.4-6"
}
}
},
{
"category": "product_version",
"name": "rhbk/keycloak-rhel9-operator@sha256:68f820e741c80a4cc1b1498531a40bfb4d2776bb52247d206e9ba698ef951930_arm64",
"product": {
"name": "rhbk/keycloak-rhel9-operator@sha256:68f820e741c80a4cc1b1498531a40bfb4d2776bb52247d206e9ba698ef951930_arm64",
"product_id": "rhbk/keycloak-rhel9-operator@sha256:68f820e741c80a4cc1b1498531a40bfb4d2776bb52247d206e9ba698ef951930_arm64",
"product_identification_helper": {
"purl": "pkg:oci/keycloak-rhel9-operator@sha256:68f820e741c80a4cc1b1498531a40bfb4d2776bb52247d206e9ba698ef951930?arch=arm64\u0026repository_url=registry.redhat.io/rhbk/keycloak-rhel9-operator\u0026tag=26.4-5"
}
}
}
],
"category": "architecture",
"name": "arm64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "rhbk/keycloak-operator-bundle@sha256:21319807f584783e091bbd03066624d759e699e72e38f42f8e69f5d59d1ca31c_amd64 as a component of Red Hat build of Keycloak 26.4",
"product_id": "9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:21319807f584783e091bbd03066624d759e699e72e38f42f8e69f5d59d1ca31c_amd64"
},
"product_reference": "rhbk/keycloak-operator-bundle@sha256:21319807f584783e091bbd03066624d759e699e72e38f42f8e69f5d59d1ca31c_amd64",
"relates_to_product_reference": "9Base-RHBK-26.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhbk/keycloak-rhel9-operator@sha256:4a70c9fc5c12822bdc9dad06b0455d9b4ae847f080123856b8bf4f683933e60b_s390x as a component of Red Hat build of Keycloak 26.4",
"product_id": "9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:4a70c9fc5c12822bdc9dad06b0455d9b4ae847f080123856b8bf4f683933e60b_s390x"
},
"product_reference": "rhbk/keycloak-rhel9-operator@sha256:4a70c9fc5c12822bdc9dad06b0455d9b4ae847f080123856b8bf4f683933e60b_s390x",
"relates_to_product_reference": "9Base-RHBK-26.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhbk/keycloak-rhel9-operator@sha256:68f820e741c80a4cc1b1498531a40bfb4d2776bb52247d206e9ba698ef951930_arm64 as a component of Red Hat build of Keycloak 26.4",
"product_id": "9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:68f820e741c80a4cc1b1498531a40bfb4d2776bb52247d206e9ba698ef951930_arm64"
},
"product_reference": "rhbk/keycloak-rhel9-operator@sha256:68f820e741c80a4cc1b1498531a40bfb4d2776bb52247d206e9ba698ef951930_arm64",
"relates_to_product_reference": "9Base-RHBK-26.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhbk/keycloak-rhel9-operator@sha256:c0dbea4bb061452767b52b634550477237495bf48600994c5efe9a5e28766a19_amd64 as a component of Red Hat build of Keycloak 26.4",
"product_id": "9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c0dbea4bb061452767b52b634550477237495bf48600994c5efe9a5e28766a19_amd64"
},
"product_reference": "rhbk/keycloak-rhel9-operator@sha256:c0dbea4bb061452767b52b634550477237495bf48600994c5efe9a5e28766a19_amd64",
"relates_to_product_reference": "9Base-RHBK-26.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhbk/keycloak-rhel9-operator@sha256:cce8f176c7ecde1910ceeb3d814b9bf2d2d63ccbfcd5a1eb0eb83efe0d9852b2_ppc64le as a component of Red Hat build of Keycloak 26.4",
"product_id": "9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:cce8f176c7ecde1910ceeb3d814b9bf2d2d63ccbfcd5a1eb0eb83efe0d9852b2_ppc64le"
},
"product_reference": "rhbk/keycloak-rhel9-operator@sha256:cce8f176c7ecde1910ceeb3d814b9bf2d2d63ccbfcd5a1eb0eb83efe0d9852b2_ppc64le",
"relates_to_product_reference": "9Base-RHBK-26.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhbk/keycloak-rhel9@sha256:4e76367ad0340f93653ccadbb0f82c96194c28951fde84d00b146f2372c949e7_s390x as a component of Red Hat build of Keycloak 26.4",
"product_id": "9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:4e76367ad0340f93653ccadbb0f82c96194c28951fde84d00b146f2372c949e7_s390x"
},
"product_reference": "rhbk/keycloak-rhel9@sha256:4e76367ad0340f93653ccadbb0f82c96194c28951fde84d00b146f2372c949e7_s390x",
"relates_to_product_reference": "9Base-RHBK-26.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhbk/keycloak-rhel9@sha256:710b71ca582a96e3617ca04d819bd2df428003a8c3fd9bc5f28aea45766809bd_amd64 as a component of Red Hat build of Keycloak 26.4",
"product_id": "9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:710b71ca582a96e3617ca04d819bd2df428003a8c3fd9bc5f28aea45766809bd_amd64"
},
"product_reference": "rhbk/keycloak-rhel9@sha256:710b71ca582a96e3617ca04d819bd2df428003a8c3fd9bc5f28aea45766809bd_amd64",
"relates_to_product_reference": "9Base-RHBK-26.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhbk/keycloak-rhel9@sha256:c5d3ee80cd09b752b94f763850774b02336a8f10a9d5e3decb0d6941bae7c70c_arm64 as a component of Red Hat build of Keycloak 26.4",
"product_id": "9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:c5d3ee80cd09b752b94f763850774b02336a8f10a9d5e3decb0d6941bae7c70c_arm64"
},
"product_reference": "rhbk/keycloak-rhel9@sha256:c5d3ee80cd09b752b94f763850774b02336a8f10a9d5e3decb0d6941bae7c70c_arm64",
"relates_to_product_reference": "9Base-RHBK-26.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhbk/keycloak-rhel9@sha256:f7388968b2c6662174ebb6befe25eae4d48be2c5a684a1cabc3be79e2be3827a_ppc64le as a component of Red Hat build of Keycloak 26.4",
"product_id": "9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:f7388968b2c6662174ebb6befe25eae4d48be2c5a684a1cabc3be79e2be3827a_ppc64le"
},
"product_reference": "rhbk/keycloak-rhel9@sha256:f7388968b2c6662174ebb6befe25eae4d48be2c5a684a1cabc3be79e2be3827a_ppc64le",
"relates_to_product_reference": "9Base-RHBK-26.4"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Icare \u0026 truff"
],
"organization": "YWH"
}
],
"cve": "CVE-2025-13467",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2025-11-20T03:12:47.343000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2416038"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the Keycloak LDAP User Federation provider. This vulnerability allows an authenticated realm administrator to trigger deserialization of untrusted Java objects via a malicious LDAP server configuration.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "org.keycloak.storage.ldap: Keycloak: Deserialization of Untrusted Data in LDAP User Federation",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:21319807f584783e091bbd03066624d759e699e72e38f42f8e69f5d59d1ca31c_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:4a70c9fc5c12822bdc9dad06b0455d9b4ae847f080123856b8bf4f683933e60b_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:68f820e741c80a4cc1b1498531a40bfb4d2776bb52247d206e9ba698ef951930_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c0dbea4bb061452767b52b634550477237495bf48600994c5efe9a5e28766a19_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:cce8f176c7ecde1910ceeb3d814b9bf2d2d63ccbfcd5a1eb0eb83efe0d9852b2_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:4e76367ad0340f93653ccadbb0f82c96194c28951fde84d00b146f2372c949e7_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:710b71ca582a96e3617ca04d819bd2df428003a8c3fd9bc5f28aea45766809bd_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:c5d3ee80cd09b752b94f763850774b02336a8f10a9d5e3decb0d6941bae7c70c_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:f7388968b2c6662174ebb6befe25eae4d48be2c5a684a1cabc3be79e2be3827a_ppc64le"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-13467"
},
{
"category": "external",
"summary": "RHBZ#2416038",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2416038"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-13467",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-13467"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-13467",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13467"
},
{
"category": "external",
"summary": "https://github.com/keycloak/keycloak/commit/754c070cf8ca187dcc71f0f72ff3130ff2195328",
"url": "https://github.com/keycloak/keycloak/commit/754c070cf8ca187dcc71f0f72ff3130ff2195328"
},
{
"category": "external",
"summary": "https://github.com/keycloak/keycloak/issues/44478",
"url": "https://github.com/keycloak/keycloak/issues/44478"
}
],
"release_date": "2025-11-25T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-11-25T16:24:09+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.",
"product_ids": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:21319807f584783e091bbd03066624d759e699e72e38f42f8e69f5d59d1ca31c_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:4a70c9fc5c12822bdc9dad06b0455d9b4ae847f080123856b8bf4f683933e60b_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:68f820e741c80a4cc1b1498531a40bfb4d2776bb52247d206e9ba698ef951930_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c0dbea4bb061452767b52b634550477237495bf48600994c5efe9a5e28766a19_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:cce8f176c7ecde1910ceeb3d814b9bf2d2d63ccbfcd5a1eb0eb83efe0d9852b2_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:4e76367ad0340f93653ccadbb0f82c96194c28951fde84d00b146f2372c949e7_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:710b71ca582a96e3617ca04d819bd2df428003a8c3fd9bc5f28aea45766809bd_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:c5d3ee80cd09b752b94f763850774b02336a8f10a9d5e3decb0d6941bae7c70c_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:f7388968b2c6662174ebb6befe25eae4d48be2c5a684a1cabc3be79e2be3827a_ppc64le"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:22090"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:21319807f584783e091bbd03066624d759e699e72e38f42f8e69f5d59d1ca31c_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:4a70c9fc5c12822bdc9dad06b0455d9b4ae847f080123856b8bf4f683933e60b_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:68f820e741c80a4cc1b1498531a40bfb4d2776bb52247d206e9ba698ef951930_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c0dbea4bb061452767b52b634550477237495bf48600994c5efe9a5e28766a19_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:cce8f176c7ecde1910ceeb3d814b9bf2d2d63ccbfcd5a1eb0eb83efe0d9852b2_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:4e76367ad0340f93653ccadbb0f82c96194c28951fde84d00b146f2372c949e7_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:710b71ca582a96e3617ca04d819bd2df428003a8c3fd9bc5f28aea45766809bd_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:c5d3ee80cd09b752b94f763850774b02336a8f10a9d5e3decb0d6941bae7c70c_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:f7388968b2c6662174ebb6befe25eae4d48be2c5a684a1cabc3be79e2be3827a_ppc64le"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:21319807f584783e091bbd03066624d759e699e72e38f42f8e69f5d59d1ca31c_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:4a70c9fc5c12822bdc9dad06b0455d9b4ae847f080123856b8bf4f683933e60b_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:68f820e741c80a4cc1b1498531a40bfb4d2776bb52247d206e9ba698ef951930_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c0dbea4bb061452767b52b634550477237495bf48600994c5efe9a5e28766a19_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:cce8f176c7ecde1910ceeb3d814b9bf2d2d63ccbfcd5a1eb0eb83efe0d9852b2_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:4e76367ad0340f93653ccadbb0f82c96194c28951fde84d00b146f2372c949e7_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:710b71ca582a96e3617ca04d819bd2df428003a8c3fd9bc5f28aea45766809bd_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:c5d3ee80cd09b752b94f763850774b02336a8f10a9d5e3decb0d6941bae7c70c_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:f7388968b2c6662174ebb6befe25eae4d48be2c5a684a1cabc3be79e2be3827a_ppc64le"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "org.keycloak.storage.ldap: Keycloak: Deserialization of Untrusted Data in LDAP User Federation"
}
]
}
RHSA-2025:22091
Vulnerability from csaf_redhat - Published: 2025-11-25 16:07 - Updated: 2026-03-18 03:12Summary
Red Hat Security Advisory: Red Hat build of Keycloak 26.4.6 Security Update
Severity
Moderate
Notes
Topic: New Red Hat build of Keycloak 26.4.6 packages are available from the Customer Portal
Details: Red Hat build of Keycloak 26.4.6 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.
Security fixes:
* Deserialization of Untrusted Data in LDAP User Federation (CVE-2025-13467)
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in the Keycloak LDAP User Federation provider. This vulnerability allows an authenticated realm administrator to trigger deserialization of untrusted Java objects via a malicious LDAP server configuration.
5.5 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat build of Keycloak 26.4.6
Red Hat / Red Hat build of Keycloak
|
cpe:/a:redhat:build_keycloak:26.4::el9
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
References
9 references
Acknowledgments
YWH
Icare & truff
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "New Red Hat build of Keycloak 26.4.6 packages are available from the Customer Portal",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat build of Keycloak 26.4.6 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.\n\nSecurity fixes:\n* Deserialization of Untrusted Data in LDAP User Federation (CVE-2025-13467)",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2025:22091",
"url": "https://access.redhat.com/errata/RHSA-2025:22091"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_22091.json"
}
],
"title": "Red Hat Security Advisory: Red Hat build of Keycloak 26.4.6 Security Update",
"tracking": {
"current_release_date": "2026-03-18T03:12:05+00:00",
"generator": {
"date": "2026-03-18T03:12:05+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.7.3"
}
},
"id": "RHSA-2025:22091",
"initial_release_date": "2025-11-25T16:07:25+00:00",
"revision_history": [
{
"date": "2025-11-25T16:07:25+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2025-11-25T16:07:25+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-03-18T03:12:05+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat build of Keycloak 26.4.6",
"product": {
"name": "Red Hat build of Keycloak 26.4.6",
"product_id": "Red Hat build of Keycloak 26.4.6",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:build_keycloak:26.4::el9"
}
}
}
],
"category": "product_family",
"name": "Red Hat build of Keycloak"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Icare \u0026 truff"
],
"organization": "YWH"
}
],
"cve": "CVE-2025-13467",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2025-11-20T03:12:47.343000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2416038"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the Keycloak LDAP User Federation provider. This vulnerability allows an authenticated realm administrator to trigger deserialization of untrusted Java objects via a malicious LDAP server configuration.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "org.keycloak.storage.ldap: Keycloak: Deserialization of Untrusted Data in LDAP User Federation",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Keycloak 26.4.6"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-13467"
},
{
"category": "external",
"summary": "RHBZ#2416038",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2416038"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-13467",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-13467"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-13467",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13467"
},
{
"category": "external",
"summary": "https://github.com/keycloak/keycloak/commit/754c070cf8ca187dcc71f0f72ff3130ff2195328",
"url": "https://github.com/keycloak/keycloak/commit/754c070cf8ca187dcc71f0f72ff3130ff2195328"
},
{
"category": "external",
"summary": "https://github.com/keycloak/keycloak/issues/44478",
"url": "https://github.com/keycloak/keycloak/issues/44478"
}
],
"release_date": "2025-11-25T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-11-25T16:07:25+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.",
"product_ids": [
"Red Hat build of Keycloak 26.4.6"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:22091"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat build of Keycloak 26.4.6"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"Red Hat build of Keycloak 26.4.6"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "org.keycloak.storage.ldap: Keycloak: Deserialization of Untrusted Data in LDAP User Federation"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…