CVE-2025-10939 – Org.keycloak/keycloak-quarkus-server: unable to restrict access to the admin console

CVE ID : CVE-2025-10939

Published : Oct. 28, 2025, 4:16 a.m. | 28 minutes ago

Description : A flaw was found in Keycloak. The Keycloak guides recommend to not expose /admin path to the outside in case the installation is using a proxy. The issue occurs at least via ha-proxy, as it can be tricked to using relative/non-normalized paths to access the /admin application path relative to /realms which is expected to be exposed.

Severity: 3.7 | LOW

Visit the link for more details, such as CVSS details, affected products, timeline, and more…