Security Flaw in Keycloak Allows Phishing Attacks Through Error Messages
CVE-2025-10044

4.3MEDIUM

Key Information:

Vendor

Keycloak

Status
Keycloak
Red Hat Build Of Keycloak 26.0
Red Hat Build Of Keycloak 26.0.17
Red Hat Build Of Keycloak 26.2
Vendor
CVE Published:
5 September 2025

What is CVE-2025-10044?

A security flaw in Keycloak allows for arbitrary text to be passed in the error_description query parameter, which is subsequently rendered without adequate validation or sanitization. This deficiency means that attackers can craft malicious URLs containing deceptive messages, such as fake support contact numbers or misleading links. When users interact with these manipulated messages within the trusted Keycloak interface, they may be misled into engaging with malicious entities, significantly increasing the risk of phishing attacks.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

keycloak 0 < 26.2.9

Red Hat build of Keycloak 26.0 26.0.17-1

Red Hat build of Keycloak 26.0 26.0-21

References

https://access.redhat.com/errata/RHSA-2025:16399
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2025:16400
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2025:19923
vendor-advisoryx_refsource_REDHAT

CVSS V3.1

Score:
4.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.