CVE-2025-10939 identifies a vulnerability in the Red Hat build of Keycloak version 26.4 related to an uncontrolled search path element. Keycloak's official guidance recommends not exposing the /admin path externally when using a proxy to prevent unauthorized access. However, this vulnerability exploits the way certain proxies, specifically HAProxy, handle relative or non-normalized URL paths. By manipulating these paths, an attacker can bypass intended access restrictions and reach the /admin interface indirectly through the /realms path, which is expected to be publicly accessible. This flaw does not require authentication or user interaction and can be triggered remotely over the network. The vulnerability primarily risks confidentiality by potentially exposing sensitive administrative interfaces or information, but it does not impact integrity or availability. The CVSS 3.1 base score of 3.7 reflects the low severity due to the complexity of exploitation (high attack complexity) and limited impact. No patches or known exploits have been reported yet, but the issue highlights the importance of strict proxy path normalization and access control policies in Keycloak deployments.

For European organizations, the impact is primarily limited to unauthorized disclosure of administrative interface access, which could lead to reconnaissance or further targeted attacks if combined with other vulnerabilities. Since Keycloak is widely used for identity and access management in enterprise environments, exposure of the /admin path could compromise the security posture of authentication systems. However, the vulnerability does not allow direct modification of data or service disruption, reducing its immediate risk. Organizations using HAProxy or similar proxies without strict path normalization are most at risk. The low CVSS score and absence of known exploits suggest limited current threat, but the potential for privilege escalation or information leakage remains if exploited. This could affect sectors with sensitive identity management needs such as finance, government, and healthcare across Europe.

European organizations should implement the following specific mitigations: 1) Strictly follow Keycloak's guidance to never expose the /admin path externally when using proxies. 2) Configure proxies like HAProxy to enforce path normalization and reject relative or non-standard URL paths that could bypass access controls. 3) Use network segmentation and firewall rules to restrict access to administrative interfaces to trusted internal networks only. 4) Monitor proxy logs for suspicious path traversal or access attempts targeting /admin or related paths. 5) Regularly update Keycloak and proxy software to incorporate security patches once available. 6) Conduct penetration testing focused on proxy path handling to identify and remediate similar issues. 7) Employ Web Application Firewalls (WAFs) with rules to detect and block attempts to access administrative paths via indirect routes.