Search for vulnerabilities
Vulnerability details: VCID-1rp9-hqyn-vqh8
Vulnerability ID VCID-1rp9-hqyn-vqh8
Aliases CVE-2025-3910
GHSA-5jfq-x6xp-7rw2
Summary Keycloak vulnerable to two factor authentication bypass # Description A flaw was found in Keycloak. The org.keycloak.authorization package may be vulnerable to circumventing required actions, allowing users to circumvent requirements such as setting up two-factor authentication.
Status Published
Exploitability 0.5
Weighted Severity 6.2
Risk 3.1
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-287 Improper Authentication
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3.1 5.4 https://access.redhat.com/errata/RHSA-2025:4335
generic_textual MODERATE https://access.redhat.com/errata/RHSA-2025:4335
ssvc Track https://access.redhat.com/errata/RHSA-2025:4335
cvssv3.1 5.4 https://access.redhat.com/errata/RHSA-2025:4336
generic_textual MODERATE https://access.redhat.com/errata/RHSA-2025:4336
ssvc Track https://access.redhat.com/errata/RHSA-2025:4336
cvssv3 5.4 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-3910.json
cvssv3.1 5.4 https://access.redhat.com/security/cve/CVE-2025-3910
generic_textual MODERATE https://access.redhat.com/security/cve/CVE-2025-3910
ssvc Track https://access.redhat.com/security/cve/CVE-2025-3910
epss 0.00023 https://api.first.org/data/v1/epss?cve=CVE-2025-3910
epss 0.00023 https://api.first.org/data/v1/epss?cve=CVE-2025-3910
epss 0.00023 https://api.first.org/data/v1/epss?cve=CVE-2025-3910
epss 0.00023 https://api.first.org/data/v1/epss?cve=CVE-2025-3910
epss 0.00023 https://api.first.org/data/v1/epss?cve=CVE-2025-3910
epss 0.00023 https://api.first.org/data/v1/epss?cve=CVE-2025-3910
epss 0.00023 https://api.first.org/data/v1/epss?cve=CVE-2025-3910
epss 0.00023 https://api.first.org/data/v1/epss?cve=CVE-2025-3910
epss 0.00023 https://api.first.org/data/v1/epss?cve=CVE-2025-3910
epss 0.00023 https://api.first.org/data/v1/epss?cve=CVE-2025-3910
epss 0.00023 https://api.first.org/data/v1/epss?cve=CVE-2025-3910
epss 0.00023 https://api.first.org/data/v1/epss?cve=CVE-2025-3910
epss 0.00023 https://api.first.org/data/v1/epss?cve=CVE-2025-3910
epss 0.00023 https://api.first.org/data/v1/epss?cve=CVE-2025-3910
epss 0.00023 https://api.first.org/data/v1/epss?cve=CVE-2025-3910
epss 0.00023 https://api.first.org/data/v1/epss?cve=CVE-2025-3910
epss 0.00023 https://api.first.org/data/v1/epss?cve=CVE-2025-3910
epss 0.00023 https://api.first.org/data/v1/epss?cve=CVE-2025-3910
epss 0.00023 https://api.first.org/data/v1/epss?cve=CVE-2025-3910
cvssv3.1 5.4 https://bugzilla.redhat.com/show_bug.cgi?id=2361923
generic_textual MODERATE https://bugzilla.redhat.com/show_bug.cgi?id=2361923
ssvc Track https://bugzilla.redhat.com/show_bug.cgi?id=2361923
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-5jfq-x6xp-7rw2
cvssv3.1 5.4 https://github.com/keycloak/keycloak
generic_textual MODERATE https://github.com/keycloak/keycloak
cvssv3.1 5.4 https://github.com/keycloak/keycloak/issues/39349
generic_textual MODERATE https://github.com/keycloak/keycloak/issues/39349
ssvc Track https://github.com/keycloak/keycloak/issues/39349
cvssv3.1 5.4 https://github.com/keycloak/keycloak/security/advisories/GHSA-5jfq-x6xp-7rw2
cvssv3.1_qr MODERATE https://github.com/keycloak/keycloak/security/advisories/GHSA-5jfq-x6xp-7rw2
generic_textual MODERATE https://github.com/keycloak/keycloak/security/advisories/GHSA-5jfq-x6xp-7rw2
cvssv3.1 5.4 https://nvd.nist.gov/vuln/detail/CVE-2025-3910
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2025-3910
Reference id Reference type URL
https://access.redhat.com/errata/RHSA-2025:4335
https://access.redhat.com/errata/RHSA-2025:4336
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-3910.json
https://access.redhat.com/security/cve/CVE-2025-3910
https://api.first.org/data/v1/epss?cve=CVE-2025-3910
https://bugzilla.redhat.com/show_bug.cgi?id=2361923
https://github.com/keycloak/keycloak
https://github.com/keycloak/keycloak/issues/39349
https://github.com/keycloak/keycloak/security/advisories/GHSA-5jfq-x6xp-7rw2
https://nvd.nist.gov/vuln/detail/CVE-2025-3910
cpe:/a:redhat:build_keycloak:26 https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:build_keycloak:26
cpe:/a:redhat:build_keycloak:26.0::el9 https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:build_keycloak:26.0::el9
GHSA-5jfq-x6xp-7rw2 https://github.com/advisories/GHSA-5jfq-x6xp-7rw2
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N Found at https://access.redhat.com/errata/RHSA-2025:4335
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-30T15:52:31Z/ Found at https://access.redhat.com/errata/RHSA-2025:4335
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N Found at https://access.redhat.com/errata/RHSA-2025:4336
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-30T15:52:31Z/ Found at https://access.redhat.com/errata/RHSA-2025:4336
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-3910.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N Found at https://access.redhat.com/security/cve/CVE-2025-3910
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-30T15:52:31Z/ Found at https://access.redhat.com/security/cve/CVE-2025-3910
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N Found at https://bugzilla.redhat.com/show_bug.cgi?id=2361923
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-30T15:52:31Z/ Found at https://bugzilla.redhat.com/show_bug.cgi?id=2361923
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N Found at https://github.com/keycloak/keycloak
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N Found at https://github.com/keycloak/keycloak/issues/39349
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-30T15:52:31Z/ Found at https://github.com/keycloak/keycloak/issues/39349
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N Found at https://github.com/keycloak/keycloak/security/advisories/GHSA-5jfq-x6xp-7rw2
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2025-3910
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.04419
EPSS Score 0.00023
Published At July 30, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2025-07-31T08:37:04.392151+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/04/GHSA-5jfq-x6xp-7rw2/GHSA-5jfq-x6xp-7rw2.json 37.0.0