CVE-2025-10939 identifies a vulnerability in the Red Hat build of Keycloak version 26.4 related to an uncontrolled search path element when deployed behind certain proxies, notably HAProxy. Keycloak's official guidance advises against exposing the /admin path externally when using a proxy to prevent unauthorized access. However, this vulnerability allows an attacker to exploit relative or non-normalized URL paths to circumvent these restrictions. Specifically, HAProxy can be tricked into resolving paths relative to /realms, which is typically exposed, thereby enabling indirect access to the /admin interface. This flaw stems from insufficient path normalization and validation in the proxy configuration or Keycloak's handling of proxied requests. The vulnerability does not require any privileges or user interaction, making it remotely exploitable over the network. The impact is limited to confidentiality, as unauthorized access to the admin path could reveal sensitive administrative interfaces or information, but it does not allow modification or disruption of services. The CVSS v3.1 score is 3.7 (low), reflecting the limited impact and the requirement for a complex attack vector involving proxy misconfiguration. No patches or known exploits are currently documented, but the issue highlights the importance of secure proxy setups and strict path normalization to prevent unauthorized access to administrative endpoints in identity management systems like Keycloak.

For European organizations, the primary impact of CVE-2025-10939 lies in potential unauthorized access to administrative interfaces of Keycloak deployments, which could lead to information disclosure about the identity management system's configuration or administrative functions. While the vulnerability does not directly allow modification or denial of service, exposure of the /admin path could facilitate further reconnaissance or targeted attacks against identity infrastructure. Organizations relying on Keycloak for authentication and authorization services may face increased risk if proxy configurations are not hardened, potentially compromising the confidentiality of sensitive identity management data. The impact is more pronounced in sectors with stringent identity and access management requirements, such as finance, healthcare, and government institutions. However, given the low severity and absence of known exploits, the immediate risk is limited but should not be ignored. Failure to address this vulnerability could undermine trust in identity services and complicate compliance with data protection regulations like GDPR if sensitive administrative information is leaked.

To mitigate CVE-2025-10939, European organizations should implement the following specific measures: 1) Review and harden proxy configurations, especially HAProxy, to enforce strict path normalization and reject relative or non-normalized URL paths that could be exploited to access restricted endpoints. 2) Explicitly block external access to the /admin path on proxies and firewalls, ensuring it is only accessible from trusted internal networks. 3) Employ Web Application Firewalls (WAFs) with rules to detect and block suspicious path traversal or manipulation attempts targeting Keycloak endpoints. 4) Monitor access logs for unusual requests attempting to access /admin via indirect paths and investigate anomalies promptly. 5) Keep Keycloak and proxy software up to date with the latest security patches and advisories from Red Hat and proxy vendors. 6) Conduct regular security assessments and penetration tests focusing on proxy configurations and identity management interfaces to detect similar path-related vulnerabilities. 7) Educate system administrators on secure proxy deployment best practices and the importance of adhering to Keycloak's security guidelines regarding path exposure. These targeted actions go beyond generic advice by focusing on proxy path handling and access control specific to this vulnerability.