Low severityNVD Advisory· Published Feb 27, 2026· Updated Mar 6, 2026

Org.keycloak/keycloak-services: webauthn attestation statement verification bypass

CVE-2025-12150

Description

A flaw was found in Keycloak’s WebAuthn registration component. This vulnerability allows an attacker to bypass the configured attestation policy and register untrusted or forged authenticators via submission of an attestation object with fmt: "none", even when the realm is configured to require direct attestation. This can lead to weakened authentication integrity and unauthorized authenticator registration.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.keycloak:keycloak-servicesMaven	< 26.4.4	26.4.4

Affected products

Red Hat/Red Hat build of Keycloak 26.2.11v5
cpe:/a:redhat:build_keycloak:26.2::el9
Red Hat/Red Hat build of Keycloak 26.4.4v5
cpe:/a:redhat:build_keycloak:26.4::el9
Keycloak/Keycloakv5
Range: 0

Patches

4136a677e7e2

WebAuthn registration now respects the configured extra origins policy (#35404)

https://github.com/keycloak/keycloakKevin TangJan 9, 2025via ghsa

commit

1 file changed · +7 −1

services/src/main/java/org/keycloak/authentication/requiredactions/WebAuthnRegister.java+7 −1 modified

@@ -228,8 +228,14 @@ public void processAction(RequiredActionContext context) {
         String publicKeyCredentialId = params.getFirst(WebAuthnConstants.PUBLIC_KEY_CREDENTIAL_ID);
 
         Origin origin = new Origin(UriUtils.getOrigin(context.getUriInfo().getBaseUri()));
+        Set<Origin> allOrigins = policy
+                .getExtraOrigins()
+                .stream()
+                .map(Origin::new)
+                .collect(Collectors.toSet());
+        allOrigins.add(origin);
         Challenge challenge = new DefaultChallenge(context.getAuthenticationSession().getAuthNote(WebAuthnConstants.AUTH_CHALLENGE_NOTE));
-        ServerProperty serverProperty = new ServerProperty(origin, rpId, challenge, null);
+        ServerProperty serverProperty = new ServerProperty(allOrigins, rpId, challenge, null);
         // check User Verification by considering a malicious user might modify the result of calling WebAuthn API
         boolean isUserVerificationRequired = policy.getUserVerificationRequirement().equals(WebAuthnConstants.OPTION_REQUIRED);

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

access.redhat.com/errata/RHSA-2025:21370ghsavendor-advisoryx_refsource_REDHATWEB
access.redhat.com/errata/RHSA-2025:21371ghsavendor-advisoryx_refsource_REDHATWEB
access.redhat.com/errata/RHSA-2025:22088ghsavendor-advisoryx_refsource_REDHATWEB
access.redhat.com/errata/RHSA-2025:22089ghsavendor-advisoryx_refsource_REDHATWEB
github.com/advisories/GHSA-7g5x-9c4v-4w5rghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2025-12150ghsaADVISORY
access.redhat.com/security/cve/CVE-2025-12150ghsavdb-entryx_refsource_REDHATWEB
bugzilla.redhat.com/show_bug.cgighsaissue-trackingx_refsource_REDHATWEB
github.com/keycloak/keycloak/commit/4136a677e7e24f6685ed25567e191e1003200339ghsaWEB
github.com/keycloak/keycloak/issues/35110ghsaWEB
github.com/keycloak/keycloak/issues/43723ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.065
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000