3.1
CVE-2025-12150
- EPSS 0.01%
- Veröffentlicht 27.02.2026 08:10:15
- Zuletzt bearbeitet 05.03.2026 02:19:42
- Quelle secalert@redhat.com
- CVE-Watchlists
- Unerledigt
Org.keycloak/keycloak-services: webauthn attestation statement verification bypass
A flaw was found in Keycloak’s WebAuthn registration component. This vulnerability allows an attacker to bypass the configured attestation policy and register untrusted or forged authenticators via submission of an attestation object with fmt: "none", even when the realm is configured to require direct attestation. This can lead to weakened authentication integrity and unauthorized authenticator registration.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Redhat ≫ Build Of Keycloak Version < 26.4.4
Redhat ≫ Build Of Keycloak Version- SwEditiontext-only
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. 
Login
Login| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.01% | 0.026 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 3.1 | 1.6 | 1.4 |
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N
|
| secalert@redhat.com | 3.1 | 1.6 | 1.4 |
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N
|
CWE-347 Improper Verification of Cryptographic Signature
The product does not verify, or incorrectly verifies, the cryptographic signature for data.