Detections
Analytics

Keycloak < 26.2.9 Multiple Vulnerabilities (GHSA-wc64-wmfm-46vw)(GHSA-xmcw-mv9p-7pq2)

medium Nessus Plugin ID 265769

Language:

Synopsis

The remote host is missing one or more security updates.

Description

The version of Keycloak installed on the remote host is prior to 26.2.9. It is, therefore, affected by multiple vulnerabilities as reference in the advisory GHSA-wc64-wmfm-46vw and GHSA-xmcw-mv9p-7pq2.

 - A path traversal validation flaw exists in Keycloak’s vault key handling on Windows. The previous fix for CVE-2024-10492 did not account for the Windows file separator (\). As a result, a high-privilege administrator could probe for the existence of files outside the expected realm context through crafted vault secret lookups. This is a platform-specific variant/incomplete fix of CVE-2024-10492. (CVE-2025-10043)

 - A flaw was found in Keycloak. Keycloak’s account console and other pages accept arbitrary text in the error_description query parameter. This text is directly rendered in error pages without validation or sanitization. While HTML encoding prevents XSS, an attacker can craft URLs with misleading messages (e.g. fake support phone numbers or URLs), which are displayed within the trusted Keycloak UI. This creates a phishing vector, potentially tricking users into contacting malicious actors. (CVE-2025-10044)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

See vendor advisory

See Also

https://github.com/advisories/GHSA-wc64-wmfm-46vw

https://github.com/advisories/GHSA-xmcw-mv9p-7pq2

Plugin Details

Severity: Medium

ID: 265769

File Name: keycloak_26_2_9.nasl

Version: 1.2

Type: local

Agent: unix

Family: Misc.

Published: 9/24/2025

Updated: 9/26/2025

Configuration: Enable thorough checks (optional)

Supported Sensors: Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Low

Score: 2.9

CVSS v2

Risk Factor: Medium

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N

CVSS Score Source: CVE-2025-10044

CVSS v3

Risk Factor: Medium

Base Score: 4.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Vulnerability Information

CPE: cpe:/a:keycloak:keycloak

Required KB Items: installed_sw/Keycloak

Patch Publication Date: 9/5/2025

Vulnerability Publication Date: 9/5/2025

Reference Information

CVE: CVE-2025-10043, CVE-2025-10044

IAVB: 2025-B-0156