CVE-2025-10044

MEDIUM

Keycloak < 26.2.9 - Phishing via Unsanitized Error Description Parameter

Title source: llm
STIX 2.1

Description

A flaw was found in Keycloak. Keycloak’s account console and other pages accept arbitrary text in the error_description query parameter. This text is directly rendered in error pages without validation or sanitization. While HTML encoding prevents XSS, an attacker can craft URLs with misleading messages (e.g., fake support phone numbers or URLs), which are displayed within the trusted Keycloak UI. This creates a phishing vector, potentially tricking users into contacting malicious actors.

References (7)

Core 7
Core References
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2025:16399
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2025:16400
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2025:19923
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2025:19925
Vendor Advisory vdb-entry x_refsource_redhat
https://access.redhat.com/security/cve/CVE-2025-10044
Issue Tracking issue-tracking x_refsource_redhat
https://bugzilla.redhat.com/show_bug.cgi?id=2393551

Scores

CVSS v3 4.3
EPSS 0.0006
EPSS Percentile 18.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (10)
Keycloak/keycloak < 26.2.9
org.keycloak/keycloak-account-ui 0 - 26.2.9Maven
org.keycloak/keycloak-admin-ui 0 - 26.2.9Maven
Red Hat/Red Hat build of Keycloak 26.0 26.0-21
Red Hat/Red Hat build of Keycloak 26.0 26.0-22
Red Hat/Red Hat build of Keycloak 26.0 26.0.17-1
Red Hat/Red Hat build of Keycloak 26.0.17
Red Hat/Red Hat build of Keycloak 26.2 26.2-9
Red Hat/Red Hat build of Keycloak 26.2 26.2.9-1
Red Hat/Red Hat build of Keycloak 26.2.9
Published Sep 05, 2025
Tracked Since Feb 18, 2026