anonhaven
Ad

CVE-2025-12150

LOW CVSS 3.1: 3.1 EPSS 0.03%
Updated Feb 27, 2026
Keycloak
Parameter Value
CVSS 3.1 (LOW)
Type CWE-347 (Improper Verification of Cryptographic Signature)
Vendor Keycloak
Public PoC No

A flaw was found in Keycloak’s WebAuthn registration component. This vulnerability allows an attacker to bypass the configured attestation policy and register untrusted or forged authenticators via submission of an attestation object with fmt: "none", even when the realm is configured to require direct attestation. This can lead to weakened authentication integrity and unauthorized authenticator registration.

Attack Parameters

Attack Vector
Network
Can be exploited remotely
Attack Complexity
High
Difficult to exploit
Privileges Required
None
No privileges needed
User Interaction
Required
User action required

Impact Assessment

Confidentiality
None
No data leak
Integrity
Low
Partial data modification
Availability
None
No disruption

CVSS Vector v3.1

Weakness Type (CWE)

CWE-347 Improper Verification of Cryptographic Signature

References 7

https://access.redhat.com/errata/RHSA-2025:21370
secalert@redhat.com
https://access.redhat.com/errata/RHSA-2025:21371
secalert@redhat.com
https://access.redhat.com/errata/RHSA-2025:22088
secalert@redhat.com
https://access.redhat.com/errata/RHSA-2025:22089
secalert@redhat.com
https://access.redhat.com/security/cve/CVE-2025-12150
secalert@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=2406192
secalert@redhat.com
https://github.com/keycloak/keycloak/issues/43723
secalert@redhat.com
Share Post Share Share Share

Related Vulnerabilities

CVE-2026-3429

Keycloak

4.2

CVE-2026-3911

Keycloak

2.7

CVE-2026-30949

Keycloak

7.6

CVE-2026-3047

Keycloak

8.8

CVE-2026-3009

Keycloak

8.1