In Keycloak versions 26.1.0 and prior a medium severity vulnerability CVE-2025-0604 was detected. This vulnerability allows attackers to bypass authentication by exploiting a flaw in Active Directory password resets, enabling users with expired or disabled AD accounts to regain access without proper LDAP validation. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-0604.
Keycloak: Authentication Bypass via AD Password Reset
by the Hossted team
24.01.2025
24.01.2025