Security Flaw in Keycloak Allows Phishing Attacks Through Error Messages
CVE-2025-10044

4.3MEDIUM

Key Information:

Vendor: Red Hat
Status: Red Hat Build Of Keycloak
Vendor: CVE Published:; 5 September 2025

What is CVE-2025-10044?

A security flaw in Keycloak allows for arbitrary text to be passed in the error_description query parameter, which is subsequently rendered without adequate validation or sanitization. This deficiency means that attackers can craft malicious URLs containing deceptive messages, such as fake support contact numbers or misleading links. When users interact with these manipulated messages within the trusted Keycloak interface, they may be misled into engaging with malicious entities, significantly increasing the risk of phishing attacks.

References

https://access.redhat.com/security/cve/CVE-2025-10044

vdb-entryx_refsource_REDHAT

https://bugzilla.redhat.com/show_bug.cgi?id=2393551

issue-trackingx_refsource_REDHAT

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 5, 2025
Vulnerability Reserved
Sep 5, 2025

Red Hat

What is CVE-2025-10044?

References

CVSS V3.1

Timeline