CVE-2025-10044 — Keycloak error_description injection on error pages that can trigger phishing at

Description

Keycloak’s account console accepts arbitrary text in the `error_description` query parameter. This text is directly rendered in error pages without validation or sanitization. While HTML encoding prevents XSS, an attacker can craft URLs with misleading messages (e.g., fake support phone numbers or URLs), which are displayed within the trusted Keycloak UI. This creates a phishing vector, potentially tricking users into contacting malicious actors.

How to fix CVE-2025-10044

To remediate CVE-2025-10044, upgrade the affected package to a fixed version below.

—upgrade to 26.2.9 or later
—upgrade to 26.2.9 or later

Is CVE-2025-10044 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 26.2.9
from 0, < 26.2.9

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

References (8)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-10044
PATCHgithub.com/keycloak/keycloak
WEBaccess.redhat.com/errata/RHSA-2025:16399
WEBaccess.redhat.com/errata/RHSA-2025:16400
WEBaccess.redhat.com