CVE-2025-12150
LOWKeycloak < 26.4.4 - Improper Verification of Cryptographic Signature via WebAuthn Attestation Bypass
Title source: llmDescription
A flaw was found in Keycloak’s WebAuthn registration component. This vulnerability allows an attacker to bypass the configured attestation policy and register untrusted or forged authenticators via submission of an attestation object with fmt: "none", even when the realm is configured to require direct attestation. This can lead to weakened authentication integrity and unauthorized authenticator registration.
References (7)
Core 7
Core References
Issue Tracking
https://github.com/keycloak/keycloak/issues/43723
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2025:21370
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2025:21371
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2025:22088
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2025:22089
Vendor Advisory vdb-entry
x_refsource_redhat
https://access.redhat.com/security/cve/CVE-2025-12150
Vendor Advisory issue-tracking
x_refsource_redhat
https://bugzilla.redhat.com/show_bug.cgi?id=2406192
Scores
CVSS v3
3.1
EPSS
0.0020
EPSS Percentile
10.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-347
Status
published
Products (4)
org.keycloak/keycloak-services
0 - 26.4.4Maven
redhat/build_of_keycloak
redhat/build_of_keycloak
< 26.4.4
redhat/keycloak
24.0.2
Published
Feb 27, 2026
Tracked Since
Feb 27, 2026