Primary

Context

Keycloak Two-Factor Authentication Bypass Vulnerability

Vulnerability

Patched

A vulnerability in Keycloak's authorization package allows users to bypass required actions, such as setting up two-factor authentication. This issue affects the Red Hat build of Keycloak 26.0.11.

Impact

Exploitation of this vulnerability allows users to circumvent two-factor authentication requirements, potentially leading to unauthorized access.

Reproduction

To reproduce this vulnerability, a user account must be configured by an administrator to perform a required action, such as setting up two-factor authentication. During the sign-in process, the user can then pass a URL parameter to bypass the requirement.

Remediation

Users can update to the Red Hat build of Keycloak 26.0.11 to address this vulnerability.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

0.6

exploitability

6.8

remediation

7.7

relevance

0.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

0.6

exploitability

6.8

remediation

7.7

relevance

0.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Keycloak Two-Factor Authentication Bypass Vulnerability

Vulnerability

Impact

Reproduction

Remediation

Affected Products

Red Hat build of Keycloak

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating