Headline
GHSA-27gc-wj6x-9w55: Keycloak error_description injection on error pages that can trigger phishing attacks
Keycloak’s account console accepts arbitrary text in the error_description query parameter. This text is directly rendered in error pages without validation or sanitization. While HTML encoding prevents XSS, an attacker can craft URLs with misleading messages (e.g., fake support phone numbers or URLs), which are displayed within the trusted Keycloak UI. This creates a phishing vector, potentially tricking users into contacting malicious actors.
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2025-10044
Keycloak error_description injection on error pages that can trigger phishing attacks
Moderate severity GitHub Reviewed Published Oct 8, 2025 in keycloak/keycloak • Updated Oct 17, 2025
Package
maven org.keycloak:keycloak-account-ui (Maven)
Affected versions
< 26.2.9
>= 26.3.0, < 26.3.4
Patched versions
26.2.9
26.3.4
maven org.keycloak:keycloak-admin-ui (Maven)
< 26.2.9
>= 26.3.0, < 26.3.4
Description
Published to the GitHub Advisory Database
Oct 17, 2025
Last updated
Oct 17, 2025