Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.
3.1

Keycloak REST Services: Weak Authentication Registration Possible

CVE-2025-12150 GHSA-7g5x-9c4v-4w5r
Summary

Keycloak users can register untrusted authenticators due to a security flaw. This weakens authentication and allows unauthorized authenticators to be registered. Update Keycloak to the latest version to address this issue.

What to do
  • Update keycloak org.keycloak:keycloak-services to version 26.4.4.
Affected software
VendorProductAffected versionsFix available
keycloak org.keycloak:keycloak-services <= 26.4.4 26.4.4
redhat build_of_keycloak <= 26.4.4
redhat build_of_keycloak All versions
redhat keycloak 24.0.2
Original title
Keycloak REST Services has a WebAuthn Attestation Statement Verification Bypass
Original description
A flaw was found in Keycloak’s WebAuthn registration component. This vulnerability allows an attacker to bypass the configured attestation policy and register untrusted or forged authenticators via submission of an attestation object with fmt: "none", even when the realm is configured to require direct attestation. This can lead to weakened authentication integrity and unauthorized authenticator registration.
nvd CVSS3.1 3.1
Vulnerability type
CWE-347 Improper Verification of Cryptographic Signature
Published: 27 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026