CVE-2025-10044

Keycloak’s account console accepts arbitrary text in the error_description query parameter. This text is directly rendered in error pages without validation or sanitization. While HTML encoding prevents XSS, an attacker can craft URLs with misleading messages (e.g., fake support phone numbers or URLs), which are displayed within the trusted Keycloak UI. This creates a phishing vector, potentially tricking users into contacting malicious actors.

Published: Oct 17, 2025
Updated: Oct 18, 2025
CVE: CVE-2025-10044
GHSA: GHSA-27gc-wj6x-9w55
Severity: Medium
Exploit:

CVSS v3:

Severity: Unknown
Score:
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

CWEs:

CWE-79

OWASP TOP 10:

A7 - Cross-Site Scripting (XSS)

Affected Software
References

Software	From	Fixed in
org.keycloak / keycloak-account-ui	-	26.2.9
org.keycloak / keycloak-account-ui	26.3.0	26.3.4
org.keycloak / keycloak-admin-ui	-	26.2.9
org.keycloak / keycloak-admin-ui	26.3.0	26.3.4

https://access.redhat.com/errata/RHSA-2025:16399
https://access.redhat.com/errata/RHSA-2025:16400
https://access.redhat.com/security/cve/CVE-2025-10044
https://bugzilla.redhat.com/show_bug.cgi?id=2393551
https://github.com/keycloak/keycloak/pull/42035
https://github.com/keycloak/keycloak/security/advisories/GHSA-27gc-wj6x-9w55

Vulnerability Database

CVE-2025-10044

Deep Security Visibility Without the Complexity