Skip to main content
CVE Vulnerability Database

CVE-2025-3910: Keycloak Auth Bypass Vulnerability

CVE-2025-3910 is an authentication bypass flaw in Redhat Build of Keycloak that allows users to circumvent required actions like two-factor authentication. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2025-3910 Overview

CVE-2025-3910 is an authentication flaw in the org.keycloak.authorization package of Red Hat build of Keycloak. The vulnerability allows users to circumvent required actions during authentication flows, including mandatory two-factor authentication (2FA) enrollment. This weakness maps to [CWE-287] Improper Authentication and undermines security policies that administrators rely on to enforce identity verification steps.

Exploitation requires user interaction over the network but no prior privileges. Successful abuse weakens the integrity of enrollment workflows, effectively letting an account skip controls the identity provider was configured to enforce.

Critical Impact

Attackers with valid credentials can bypass required actions such as 2FA setup, weakening account security and violating organizational identity policies.

Affected Products

  • Red Hat build of Keycloak
  • Keycloak deployments using the org.keycloak.authorization package
  • Downstream identity federation services relying on Keycloak required actions

Discovery Timeline

  • 2025-04-29 - CVE-2025-3910 published to the National Vulnerability Database (NVD)
  • 2025-04-29 - Red Hat issues security advisories RHSA-2025:4335 and RHSA-2025:4336
  • 2026-06-17 - Last updated in the NVD database

Technical Details for CVE-2025-3910

Vulnerability Analysis

The flaw resides in Keycloak's org.keycloak.authorization package, which handles authorization decisions and required action enforcement. Required actions in Keycloak are mandatory steps a user must complete during authentication, including configuring 2FA, updating passwords, verifying email addresses, or accepting terms of service.

The package fails to consistently enforce these pending actions across all authentication paths. A user can complete authentication and reach protected resources without executing the actions the realm administrator marked as required. This defeats controls that operators depend on to raise the baseline security posture of accounts.

Root Cause

The root cause is an authorization logic gap where the required-actions checkpoint is skippable through specific request flows. The package does not uniformly validate that all pending required actions have been completed before finalizing a session. This is an [CWE-287] Improper Authentication weakness rather than a memory or injection flaw.

Attack Vector

Exploitation happens over the network and requires user interaction, meaning an authenticated user must drive the flow that bypasses the required action. An attacker holding stolen credentials could authenticate and evade the 2FA enrollment step intended to protect the account. The vulnerability does not directly permit unauthenticated remote code execution or data destruction, but it degrades the effectiveness of identity controls.

The vulnerability is exercised through manipulation of the authentication flow rather than a discrete payload. Refer to the GitHub Keycloak Issue #39349 and the Red Hat CVE Details CVE-2025-3910 advisory for technical specifics.

Detection Methods for CVE-2025-3910

Indicators of Compromise

  • Successful authentication events for accounts that still have pending required actions in the Keycloak admin console
  • User sessions established without corresponding 2FA enrollment records where 2FA is mandatory
  • Anomalous access to protected clients from users whose realm profile shows unmet required actions
  • Discrepancies between the required_actions attribute in user records and completed action events in audit logs

Detection Strategies

  • Query the Keycloak event store for LOGIN events and correlate them against UPDATE_TOTP, CONFIGURE_TOTP, or UPDATE_PASSWORD events to spot skipped steps
  • Enable Keycloak admin and login event logging at the realm level and forward the events to a SIEM for correlation
  • Alert when a user record retains requiredActions entries after a successful login session has been issued

Monitoring Recommendations

  • Continuously ingest Keycloak audit logs into centralized log analytics and retain them for post-incident review
  • Baseline the ratio of required-action completions to logins per realm and alert on statistical deviations
  • Monitor administrative changes to authentication flows and required action bindings for unauthorized modifications

How to Mitigate CVE-2025-3910

Immediate Actions Required

  • Apply the updates published in RHSA-2025:4335 and RHSA-2025:4336 to all Red Hat build of Keycloak instances
  • Audit user accounts in every realm for outstanding required actions and force re-enrollment where 2FA is expected
  • Invalidate active sessions for accounts that authenticated without completing mandatory required actions
  • Review authentication flow configuration to confirm required actions are bound at every entry point

Patch Information

Red Hat has released fixed builds through advisories RHSA-2025:4335 and RHSA-2025:4336. Track remediation guidance through the Red Hat CVE Details CVE-2025-3910 page and the underlying Red Hat Bugzilla Report #2361923.

Workarounds

  • Enforce 2FA at an upstream reverse proxy or WAF until Keycloak is patched
  • Restrict client scopes and token issuance for accounts flagged with pending required actions
  • Require administrators to manually verify 2FA enrollment for privileged users before granting sensitive role assignments
  • Temporarily disable self-service registration flows that depend solely on Keycloak required actions for hardening

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.