Authentication Bypass Vulnerability in Keycloak by Red Hat
CVE-2025-12150

3.1LOW

Key Information:

Vendor

Keycloak

Status
Keycloak
Red Hat Build Of Keycloak 26.2
Red Hat Build Of Keycloak 26.2.11
Red Hat Build Of Keycloak 26.4
Vendor
CVE Published:
27 February 2026

What is CVE-2025-12150?

A flaw exists in Keycloak’s WebAuthn registration component that permits an attacker to circumvent the attestation policy. This issue arises when an attacker submits an attestation object with a format of 'none', allowing for the registration of untrusted or fraudulent authenticators, even when the realm requires direct attestation. This vulnerability compromises the integrity of authentication mechanisms and facilitates unauthorized registration of authenticators.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

keycloak 0 < 26.4.4

Red Hat build of Keycloak 26.2 26.2.11-1

Red Hat build of Keycloak 26.2 26.2-12

References

https://access.redhat.com/errata/RHSA-2025:21370
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2025:21371
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2025:22088
vendor-advisoryx_refsource_REDHAT

CVSS V3.1

Score:
3.1
Severity:
LOW
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Red Hat would like to thank Stefan Kunz (cnlab) for reporting this issue.
JSON
.