Description

A flaw was found in Keycloak’s WebAuthn registration component. This vulnerability allows an attacker to bypass the configured attestation policy and register untrusted or forged authenticators via submission of an attestation object with fmt: "none", even when the realm is configured to require direct attestation. This can lead to weakened authentication integrity and unauthorized authenticator registration.

INFO

Published Date :

2026-02-27T08:10:15.448Z

Last Modified :

2026-03-06T18:46:41.611Z

Source :

redhat
AFFECTED PRODUCTS

The following products are affected by CVE-2025-12150 vulnerability.

Vendors Products
Redhat
  • Build Keycloak
  • Build Of Keycloak
  • Keycloak
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-12150.

URL Resource
https://access.redhat.com/errata/RHSA-2025:21370 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2025:21371 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2025:22088 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2025:22089 cve-icon cve-icon
https://access.redhat.com/security/cve/CVE-2025-12150 cve-icon cve-icon
https://bugzilla.redhat.com/show_bug.cgi?id=2406192 cve-icon cve-icon
https://github.com/keycloak/keycloak/issues/43723 cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2025-12150 cve-icon
https://www.cve.org/CVERecord?id=CVE-2025-12150 cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact