CVE-2025-12150Improper Verification of Cryptographic Signature in Keycloak

CWE-347Improper Verification of Cryptographic SignatureCWE-300Channel Accessible by Non-Endpoint7 documents7 sources
Severity
3.1LOWNVD
EPSS
0.0%
top 98.41%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
KeycloakRedhat Build OF KeycloakRedhat Keycloak
Timeline
PublishedFeb 27

Description

A flaw was found in Keycloak’s WebAuthn registration component. This vulnerability allows an attacker to bypass the configured attestation policy and register untrusted or forged authenticators via submission of an attestation object with fmt: "none", even when the realm is configured to require direct attestation. This can lead to weakened authentication integrity and unauthorized authenticator registration.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:NExploitability: 1.6 | Impact: 1.4

Affected Packages3 packages

CVEListV5keycloak/keycloak< 26.4.4
NVDredhat/keycloak24.0.2

🔴Vulnerability Details

3
CVEList
Org.keycloak/keycloak-services: webauthn attestation statement verification bypass2026-02-27
OSV
Keycloak REST Services has a WebAuthn Attestation Statement Verification Bypass2026-02-27
GHSA
Keycloak REST Services has a WebAuthn Attestation Statement Verification Bypass2026-02-27

📋Vendor Advisories

2
Red Hat
org.keycloak/keycloak-services: WebAuthn Attestation Statement Verification Bypass2025-10-28
Microsoft
It was found that samba before 4.4.16 4.5.x before 4.5.14 and 4.6.x before 4.6.8 did not enforce "SMB signing" when certain configuration options were enabled. A remote attacker could launch a man-in-2018-07-10

🕵️Threat Intelligence

1
Wiz
CVE-2025-12150 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2025-12150 — Keycloak vulnerability | cvebase