CVE-2025-10939: 
Java vulnerability analysis and mitigation

A security vulnerability was identified in Keycloak (CVE-2025-10939) related to unauthorized access to the admin console. The vulnerability was discovered and published to the CVE List on October 28, 2025. The issue affects the org.keycloak/keycloak-quarkus-server component when using proxy configurations, particularly with ha-proxy (Red Hat CVE, NVD).

The vulnerability is classified as CWE-427 (Uncontrolled Search Path Element) with a CVSS v3.1 base score of 3.7 (Low). The technical issue involves the ability to bypass access restrictions to the /admin path when using a proxy server. Specifically, the vulnerability can be exploited by using relative/non-normalized paths to access the /admin application path relative to /realms, which is typically exposed (Red Hat Bugzilla).

The vulnerability allows potential unauthorized access to the admin console, which should normally be restricted from external access. While authentication is still required for the admin path, the vulnerability exposes a path that administrators believe to be inaccessible, potentially compromising the security posture of the system (Red Hat CVE).

Currently, no official mitigation is available that meets Red Hat Product Security criteria for ease of use, deployment, and stability. The issue is more prominent in ha-proxy configurations, while other proxies like mod-proxy correctly manage non-normalized URLs by normalizing the path. It has been suggested that Keycloak should return an error by default for non-normalized URLs (Red Hat CVE).