Security Flaw in Keycloak Allows Unauthorized Access to Admin Path
CVE-2025-10939

3.7LOW

Key Information:

Vendor: Red Hat
Status: Red Hat Build Of Keycloak
Vendor: CVE Published:; 28 October 2025

What is CVE-2025-10939?

A security flaw in Keycloak has been identified, which may allow unauthorized access to the /admin application path through improper proxy configuration. The vulnerability arises when the recommended security measures, particularly regarding the exposure of admin paths, are not followed. When utilizing proxies like HAProxy, attackers can potentially manipulate requests using relative or non-normalized paths, thereby gaining access to critical administrative functionalities. Proper safeguards must be implemented to secure administrative paths from external exposure.

References

https://access.redhat.com/security/cve/CVE-2025-10939

vdb-entryx_refsource_REDHAT

https://bugzilla.redhat.com/show_bug.cgi?id=2398025

issue-trackingx_refsource_REDHAT

CVSS V3.1

Score:

3.7

Severity:

LOW

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 28, 2025
Vulnerability Reserved
Sep 25, 2025

JSON

Red Hat

What is CVE-2025-10939?

References

CVSS V3.1

Timeline