CVE-2025-10044

MEDIUM 4.3

Keycloak: keycloak error_description injection on error pages

CVSS Score

4.3

EPSS Score

0.0%

EPSS Percentile

0th

A flaw was found in Keycloak. Keycloak’s account console and other pages accept arbitrary text in the error_description query parameter. This text is directly rendered in error pages without validation or sanitization. While HTML encoding prevents XSS, an attacker can craft URLs with misleading messages (e.g., fake support phone numbers or URLs), which are displayed within the trusted Keycloak UI. This creates a phishing vector, potentially tricking users into contacting malicious actors.

CWE	CWE-79
Vendor	keycloak
Product	keycloak
Published	Sep 5, 2025
Last Updated	Dec 19, 2025

Stay Ahead of the Next One

Get instant alerts for keycloak keycloak

Be the first to know when new medium vulnerabilities affecting keycloak keycloak are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

None

Affected Versions

Keycloak / keycloak

0 < 26.2.9

Red Hat / Red Hat build of Keycloak 26.0

All versions affected

Red Hat / Red Hat build of Keycloak 26.0

All versions affected

Red Hat / Red Hat build of Keycloak 26.0

All versions affected

Red Hat / Red Hat build of Keycloak 26.0.17

All versions affected

Red Hat / Red Hat build of Keycloak 26.2

All versions affected

Red Hat / Red Hat build of Keycloak 26.2

All versions affected

Red Hat / Red Hat build of Keycloak 26.2

All versions affected

Red Hat / Red Hat build of Keycloak 26.2.9

All versions affected

References

NVD ↗ CVE.org ↗ EPSS Data ↗

access.redhat.com: https://access.redhat.com/errata/RHSA-2025:16399 access.redhat.com: https://access.redhat.com/errata/RHSA-2025:16400 access.redhat.com: https://access.redhat.com/errata/RHSA-2025:19923 access.redhat.com: https://access.redhat.com/errata/RHSA-2025:19925 access.redhat.com: https://access.redhat.com/security/cve/CVE-2025-10044 bugzilla.redhat.com: https://bugzilla.redhat.com/show_bug.cgi?id=2393551 github.com: https://github.com/keycloak/keycloak/pull/42443