Low severity3.7GHSA Advisory· Published Oct 28, 2025· Updated Apr 15, 2026
CVE-2025-10939
CVE-2025-10939
Description
A flaw was found in Keycloak. The Keycloak guides recommend to not expose /admin path to the outside in case the installation is using a proxy. The issue occurs at least via ha-proxy, as it can be tricked to using relative/non-normalized paths to access the /admin application path relative to /realms which is expected to be exposed.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.keycloak:keycloak-quarkus-serverMaven | < 26.4.4 | 26.4.4 |
Affected products
21- osv-coords20 versionspkg:apk/chainguard/keycloak-26.2-compatpkg:apk/chainguard/keycloak-26.3-compatpkg:apk/chainguard/keycloak-26.4pkg:apk/chainguard/keycloak-26.4-compatpkg:apk/chainguard/keycloak-26.4-iamguarded-compatpkg:apk/chainguard/keycloak-26.4-operatorpkg:apk/chainguard/keycloak-26.4-operator-compatpkg:apk/chainguard/keycloak-fips-26.3-operatorpkg:apk/chainguard/keycloak-fips-26.3-operator-compatpkg:apk/chainguard/keycloak-fips-26.4pkg:apk/chainguard/keycloak-fips-26.4-iamguarded-fipspkg:apk/chainguard/keycloak-fips-26.4-operatorpkg:apk/chainguard/keycloak-fips-26.4-operator-compatpkg:apk/wolfi/keycloak-26.3-compatpkg:apk/wolfi/keycloak-26.4pkg:apk/wolfi/keycloak-26.4-compatpkg:apk/wolfi/keycloak-26.4-iamguarded-compatpkg:apk/wolfi/keycloak-26.4-operatorpkg:apk/wolfi/keycloak-26.4-operator-compatpkg:maven/org.keycloak/keycloak-quarkus-server
< 26.2.5-r6+ 19 more
- (no CPE)range: < 26.2.5-r6
- (no CPE)range: < 26.3.5-r3
- (no CPE)range: < 26.4.4-r0
- (no CPE)range: < 26.4.2-r2
- (no CPE)range: < 26.4.5-r0
- (no CPE)range: < 26.4.2-r2
- (no CPE)range: < 26.4.2-r2
- (no CPE)range: < 26.3.5-r4
- (no CPE)range: < 26.3.5-r4
- (no CPE)range: < 26.4.4-r0
- (no CPE)range: < 26.4.4-r0
- (no CPE)range: < 26.4.4-r0
- (no CPE)range: < 26.4.4-r1
- (no CPE)range: < 26.3.5-r3
- (no CPE)range: < 26.4.4-r0
- (no CPE)range: < 26.4.2-r2
- (no CPE)range: < 26.4.5-r0
- (no CPE)range: < 26.4.2-r2
- (no CPE)range: < 26.4.2-r2
- (no CPE)range: < 26.4.4
Patches
Vulnerability mechanics
References
9- github.com/advisories/GHSA-vjr8-56p3-fmqqghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-10939ghsaADVISORY
- access.redhat.com/errata/RHSA-2025:21370nvdWEB
- access.redhat.com/errata/RHSA-2025:21371nvdWEB
- access.redhat.com/security/cve/CVE-2025-10939nvdWEB
- bugzilla.redhat.com/show_bug.cginvdWEB
- github.com/keycloak/keycloak/security/advisories/GHSA-vjr8-56p3-fmqqghsaWEB
- github.com/keycloak/keycloak/issues/43763nvd
- github.com/keycloak/keycloak/pull/43765nvd
News mentions
0No linked articles in our index yet.