Issued:

2025-04-29

Updated:

2025-04-29

RHSA-2025:4336 - Important: Red Hat build of Keycloak 26.0.11 Update

Synopsis

Important: Red Hat build of Keycloak 26.0.11 Update

Type/Severity

Security Advisory Important

Topic

New Red Hat build of Keycloak 26.0.11 packages are available from the Customer Portal

Description

Red Hat build of Keycloak 26.0.11 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.

Security fixes:

• JWT Token Cache Exhaustion Leading to Denial of Service (DoS) in Keycloak
• Keycloak hostname verification
• Two factor authentication bypass

Solution

Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.

Affected Products

Fixes

• This content is not included.BZ - 2353868
• This content is not included.BZ - 2358834
• This content is not included.BZ - 2361923

CVEs

• CVE-2025-2559
• CVE-2025-3501
• CVE-2025-3910

References

• https://access.redhat.com/security/updates/classification/#important

Additional information

• The Red Hat security contact is This content is not included.secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.
• Offline Security Data data is available for integration with other systems. See Offline Security Data API to get started.