CVE-2025-10044 MEDIUM

CVE-2025-10044: Keycloak: keycloak error_description injection on error pages

Vendor Keycloak
Product keycloak
Weakness CWE-79 · XSS
Published September 5, 2025
Last update December 19, 2025

CVSS base score

4.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

A flaw was found in Keycloak. Keycloak’s account console and other pages accept arbitrary text in the error_description query parameter. This text is directly rendered in error pages without validation or sanitization. While HTML encoding prevents XSS, an attacker can craft URLs with misleading messages (e.g., fake support phone numbers or URLs), which are displayed within the trusted Keycloak UI. This creates a phishing vector, potentially tricking users into contacting malicious actors.

Key dates

02Disclosure timeline

September 5, 2025 CVE published
December 19, 2025 Record updated