CVE-2025-3910: 
Java vulnerability analysis and mitigation

A vulnerability (CVE-2025-3910) was discovered in Keycloak's org.keycloak.authorization package. The flaw allows users to bypass required actions configured by administrators, specifically enabling users to circumvent security requirements such as two-factor authentication setup. The vulnerability was reported on April 23, 2025, and affects Red Hat build of Keycloak installations (Wiz Report, NVD).

The vulnerability is classified with a CVSS v3.1 Base Score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N. The flaw is categorized under CWE-287 (Improper Authentication) and specifically affects the Application-initiated actions (AIA) functionality in Keycloak. The vulnerability can be exploited through URL parameter manipulation during the sign-in process (Red Hat CVE, Red Hat Bugzilla).

When exploited, this vulnerability allows authenticated users to bypass administrator-configured required actions during the sign-in process. The primary security impact is the potential circumvention of critical security measures, particularly the ability to skip mandatory two-factor authentication setup requirements (Red Hat CVE).

Red Hat has addressed this vulnerability by releasing security updates in Red Hat build of Keycloak 26.0.11. The fixes are available through two security advisories: RHSA-2025:4335 for the container images and RHSA-2025:4336 for the standalone packages. Users are advised to back up their existing installation, including all applications, configuration files, and databases before applying the updates (Red Hat Advisory).