Nixpkgs security tracker

Untriaged

Permalink CVE-2025-3910

5.4 MEDIUM

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): NONE
User interaction (UI): REQUIRED
Scope (S): UNCHANGED
Confidentiality impact (C): LOW
Integrity impact (I): LOW
Availability impact (A): NONE

created 7 months, 1 week ago Activity log

Created suggestion 7 months, 1 week ago

Org.keycloak.authentication: two factor authentication bypass

A flaw was found in Keycloak. The org.keycloak.authorization package may be vulnerable to circumventing required actions, allowing users to circumvent requirements such as setting up two-factor authentication.

References

RHSA-2025:4335 x_refsource_REDHATvendor-advisory
https://access.redhat.com/security/cve/CVE-2025-3910 vdb-entryx_refsource_REDHAT
RHBZ#2361923 issue-trackingx_refsource_REDHAT
RHSA-2025:4336 x_refsource_REDHATvendor-advisory
https://github.com/keycloak/keycloak/issues/39349

Affected products

keycloak

<26.1.*
<26.2.2
<25.*
<26.0.11

rhbk/keycloak-rhel9

keycloak-rhel9-container

org.keycloak.authentication

rhbk/keycloak-rhel9-operator

rhbk/keycloak-operator-bundle

keycloak-rhel9-operator-container

keycloak-rhel9-operator-bundle-container

Matching in nixpkgs

pkgs.keycloak

Identity and access management for modern applications and services

nixos-unstable -
- nixpkgs-unstable 26.3.4

pkgs.terraform-providers.keycloak

None

nixos-unstable -
- nixpkgs-unstable 5.4.0

pkgs.python312Packages.python-keycloak

Provides access to the Keycloak API

nixos-unstable -
- nixpkgs-unstable 4.0.0

pkgs.python313Packages.python-keycloak