CVE-2025-10939 identifies a vulnerability in the Red Hat Build of Keycloak related to an uncontrolled search path element when used behind proxies like HAProxy. Keycloak’s official guidance recommends not exposing the /admin path externally if a proxy is used. However, this vulnerability arises because HAProxy can be tricked into using relative or non-normalized paths, allowing an attacker to bypass intended access restrictions and reach the /admin interface via the exposed /realms path. This path traversal-like behavior exploits the proxy’s path resolution logic rather than Keycloak itself. The vulnerability does not require authentication or user interaction, but the complexity of exploitation is high as it depends on specific proxy configurations and path manipulations. The impact is limited to confidentiality, potentially allowing unauthorized access to administrative data or interfaces, without affecting system integrity or availability. The CVSS score is 3.7 (low severity), reflecting the limited impact and exploitation difficulty. No known exploits have been reported, and no patches or fixes have been linked yet. Organizations using Keycloak behind proxies should carefully audit proxy rules and path normalization settings to prevent exposure of sensitive administrative endpoints.

For European organizations, the primary impact is unauthorized disclosure of administrative interfaces and potentially sensitive configuration or user data managed via Keycloak’s admin console. While the vulnerability does not allow modification or disruption of services, unauthorized access to the admin interface could facilitate further attacks or data leakage. Organizations relying on Keycloak for identity and access management, especially those exposing /realms endpoints through proxies, are at risk if proxy configurations are not hardened. The risk is higher in sectors with strict compliance requirements (e.g., finance, healthcare) where administrative access controls are critical. The low CVSS score and lack of known exploits reduce immediate urgency, but the potential for privilege escalation or lateral movement in complex environments means mitigation is important. European entities using Red Hat and Keycloak in cloud or on-premises deployments should prioritize reviewing proxy configurations to avoid inadvertent exposure of admin paths.

1. Strictly follow Keycloak’s official guidance by ensuring the /admin path is never exposed externally through proxies. 2. Review and harden proxy configurations (e.g., HAProxy) to enforce strict path normalization and disallow relative or non-normalized path traversal. 3. Implement network segmentation and access controls to restrict access to administrative interfaces to trusted internal networks only. 4. Monitor proxy logs for unusual path requests that attempt to access /admin via relative paths. 5. Apply any forthcoming patches or updates from Red Hat promptly once available. 6. Conduct penetration testing focusing on proxy path traversal to validate the effectiveness of mitigations. 7. Use Web Application Firewalls (WAFs) to detect and block suspicious path manipulation attempts targeting Keycloak endpoints. 8. Educate administrators on secure proxy deployment and the risks of exposing administrative paths inadvertently.