CVE-2024-10039

HIGH7.1

Keycloak mTLS Authentication Bypass via Reverse Proxy TLS Termination

Published: 11/25/2024Modified: 2/4/2026

Also known as:GHSA-93ww-43rr-79v3CGA-5m29-pjcj-vjv6

Description

A vulnerability was found in Keycloak. Deployments of Keycloak with a reverse proxy not using pass-through termination of TLS, with mTLS enabled, are affected. This issue may allow an attacker on the local network to authenticate as any user or client that leverages mTLS as the authentication mechanism.

Affected packages (1)

Maven/org.keycloak:keycloak-corefrom 0, < 26.0.6

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.1	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

References (3)

PATCHhttps://github.com/keycloak/keycloak
WEBhttps://github.com/keycloak/keycloak/issues/35217
WEBhttps://github.com/keycloak/keycloak/security/advisories/GHSA-93ww-43rr-79v3