CVE-2024-10451 MEDIUM

CVE-2024-10451: Org.keycloak:keycloak-quarkus-server: sensitive data exposure in keycloak build process

Vendor Red Hat
Product Red Hat build of Keycloak 24.0.9
Weakness CWE-798 · Hardcoded credentials
Published November 25, 2024
Last update November 11, 2025

CVSS base score

5.9/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

A flaw was found in Keycloak. This issue occurs because sensitive runtime values, such as passwords, may be captured during the Keycloak build process and embedded as default values in bytecode, leading to unintended information disclosure. In Keycloak 26, sensitive data specified directly in environment variables during the build process is also stored as a default values, making it accessible during runtime. Indirect usage of environment variables for SPI options and Quarkus properties is also vulnerable due to unconditional expansion by PropertyMapper logic, capturing sensitive data as default values in all Keycloak versions up to 26.0.2.

Key dates

02Disclosure timeline

November 25, 2024 CVE published
November 11, 2025 Record updated