Low severity3.7GHSA Advisory· Published Oct 28, 2025· Updated Apr 15, 2026
CVE-2025-10939
CVE-2025-10939
Description
A flaw was found in Keycloak. The Keycloak guides recommend to not expose /admin path to the outside in case the installation is using a proxy. The issue occurs at least via ha-proxy, as it can be tricked to using relative/non-normalized paths to access the /admin application path relative to /realms which is expected to be exposed.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.keycloak:keycloak-quarkus-serverMaven | < 26.4.4 | 26.4.4 |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
9- github.com/advisories/GHSA-vjr8-56p3-fmqqghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-10939ghsaADVISORY
- access.redhat.com/errata/RHSA-2025:21370nvdWEB
- access.redhat.com/errata/RHSA-2025:21371nvdWEB
- access.redhat.com/security/cve/CVE-2025-10939nvdWEB
- bugzilla.redhat.com/show_bug.cginvdWEB
- github.com/keycloak/keycloak/security/advisories/GHSA-vjr8-56p3-fmqqghsaWEB
- github.com/keycloak/keycloak/issues/43763nvd
- github.com/keycloak/keycloak/pull/43765nvd
News mentions
0No linked articles in our index yet.