CVE-2025-10044 affects Red Hat's build of Keycloak version 26.0 and involves improper neutralization of input during web page generation, specifically in the error_description query parameter used in the account console and other pages. The vulnerability arises because arbitrary text passed via this parameter is rendered directly on error pages without proper validation or sanitization. While the application applies HTML encoding to prevent direct cross-site scripting (XSS) attacks, this encoding does not prevent attackers from injecting misleading textual content such as fake support phone numbers or URLs. These malicious messages appear within the trusted Keycloak user interface, creating a phishing vector that can deceive users into contacting attackers or divulging sensitive information. The flaw does not allow attackers to execute scripts or compromise the confidentiality or availability of the system directly, but it undermines user trust and can facilitate social engineering attacks. Exploitation requires no authentication but does require user interaction, such as clicking on a crafted URL. The CVSS 3.1 base score is 4.3 (medium severity), reflecting the limited impact on system integrity and confidentiality but acknowledging the phishing risk. No known exploits have been reported in the wild at the time of publication. The vulnerability highlights the importance of not only preventing code injection but also controlling the content displayed to users to avoid social engineering risks in identity management platforms like Keycloak.

For European organizations, this vulnerability poses a significant phishing risk within trusted identity and access management workflows. Keycloak is widely used in enterprise and public sector environments across Europe for single sign-on and user federation. Attackers exploiting this flaw could craft URLs that appear legitimate and display deceptive messages, potentially tricking users into divulging credentials, calling fraudulent support lines, or visiting malicious websites. This could lead to credential theft, unauthorized access, or further social engineering attacks. Although the vulnerability does not directly compromise system integrity or availability, the indirect impact on user trust and potential credential compromise can have serious consequences, especially in regulated sectors such as finance, healthcare, and government. The phishing vector could also facilitate lateral movement or privilege escalation if attackers gain valid credentials. Given the widespread adoption of Keycloak in European organizations, the potential scale of exposure is considerable. The lack of known exploits reduces immediate urgency but does not eliminate risk, as phishing campaigns can be launched opportunistically.

Organizations should immediately review and apply any patches or updates provided by Red Hat for Keycloak 26.0 addressing this issue. In the absence of patches, administrators can implement strict input validation and sanitization on the error_description parameter to prevent injection of misleading content. Additionally, customizing error pages to avoid displaying user-supplied input or limiting displayed content to predefined messages can reduce risk. Deploying web application firewalls (WAFs) with rules to detect and block suspicious query parameters may help mitigate exploitation attempts. User awareness training focused on recognizing phishing attempts within internal applications is critical, emphasizing caution when clicking on unexpected URLs even if they appear to originate from trusted sources. Monitoring logs for unusual access patterns or repeated error page requests with suspicious parameters can aid in early detection. Finally, organizations should consider multi-factor authentication (MFA) to reduce the impact of credential compromise resulting from phishing.