- Issued:
- 2025-03-10
- Updated:
- 2025-03-10
RHSA-2025:2545 - Security Advisory
Synopsis
Moderate: Red Hat build of Keycloak 26.0.10 Update
Type/Severity
Security Advisory: Moderate
Topic
New Red Hat build of Keycloak 26.0.10 packages are available from the Customer Portal
Description
Red Hat build of Keycloak 26.0.10 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.
Security fixes:
- Authentication Bypass Due to Missing LDAP Bind After Password Reset in Keycloak (CVE-2025-0604)
- Improper Authorization in Keycloak Organization Mapper Allows Unauthorized Organization Claims (CVE-2025-1391)
Solution
Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.
Affected Products
- Red Hat build of Keycloak Text-only Advisories x86_64
Fixes
- BZ - 2338993 - CVE-2025-0604 keycloak-ldap-federation: Authentication Bypass Due to Missing LDAP Bind After Password Reset in Keycloak
- BZ - 2346082 - CVE-2025-1391 keycloak-services: Improper Authorization in Keycloak Organization Mapper Allows Unauthorized Organization Claims
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.