3.1
CVE-2025-12150
- EPSS 0.2%
- Veröffentlicht 27.02.2026 08:10:15
- Zuletzt bearbeitet 05.03.2026 02:19:42
- Quelle secalert@redhat.com
- CVE-Watchlists
- Unerledigt
Org.keycloak/keycloak-services: webauthn attestation statement verification bypass
A flaw was found in Keycloak’s WebAuthn registration component. This vulnerability allows an attacker to bypass the configured attestation policy and register untrusted or forged authenticators via submission of an attestation object with fmt: "none", even when the realm is configured to require direct attestation. This can lead to weakened authentication integrity and unauthorized authenticator registration.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Redhat ≫ Build Of Keycloak Version < 26.4.4
Redhat ≫ Build Of Keycloak Version- SwEditiontext-only
VulnDex Vulnerability Enrichment
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.2% | 0.1 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 3.1 | 1.6 | 1.4 |
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N
|
| secalert@redhat.com | 3.1 | 1.6 | 1.4 |
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N
|
CWE-347 Improper Verification of Cryptographic Signature
The product does not verify, or incorrectly verifies, the cryptographic signature for data.
https://access.redhat.com/errata/RHSA-2025:21370
https://access.redhat.com/errata/RHSA-2025:21371
https://access.redhat.com/errata/RHSA-2025:22089
https://access.redhat.com/errata/RHSA-2025:22088
https://access.redhat.com/security/cve/CVE-2025-12150
https://bugzilla.redhat.com/show_bug.cgi?id=2406192
https://github.com/keycloak/keycloak/issues/43723