Issued:

2025-11-13

Updated:

2025-11-13

RHSA-2025:21370 - Moderate: Red Hat build of Keycloak 26.4.4 Security Update

Synopsis

Moderate: Red Hat build of Keycloak 26.4.4 Security Update

Type/Severity

Security Advisory Moderate

Topic

New Red Hat build of Keycloak 26.4.4 packages are available from the Customer Portal

Description

Red Hat build of Keycloak 26.4.4 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.

Security fixes:

• Unable to restrict access to the admin console (CVE-2025-10939) * Debug default bind address (CVE-2025-11538)
• User can refresh offline session even after client's offline_access scope was removed (CVE-2025-12110)
• WebAuthn Attestation Statement Verification Bypass (CVE-2025-12150)
• Offline Session takeover due to reused Authentication Session ID (CVE-2025-12390)

Solution

Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.

Affected Products

Fixes

(none)

CVEs

• CVE-2025-10939
• CVE-2025-11538
• CVE-2025-12110
• CVE-2025-12150
• CVE-2025-12390

References

• https://access.redhat.com/security/updates/classification/#moderate

Additional information

• The Red Hat security contact is This content is not included.secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.
• Offline Security Data data is available for integration with other systems. See Offline Security Data API to get started.