Listen to this Post
The vulnerability in Keycloak stems from a path normalization flaw when deployed behind a specific proxy like HAProxy. The security guides for Keycloak explicitly advise against exposing the `/admin` path externally. However, this advisory identifies a bypass. The issue occurs because an attacker can craft HTTP requests containing non-normalized or relative path sequences. When such a malformed request is processed by the proxy, it can be misinterpreted, allowing the request to be routed to the `/admin` application path relative to the `/realms` endpoint. Since the `/realms` path is intended to be publicly accessible, this trick effectively bypasses the intended security controls that were meant to isolate and protect the admin console from direct external access, potentially leading to unauthorized interaction with administrative interfaces.
Platform: Keycloak
Version: <= 26.4.2
Vulnerability: Security Bypass
Severity: Low
date: 2025-10-28
Prediction: 2025-11-18
What Undercode Say:
`curl -X GET http://
`path_norm.py /realms/./../admin`
`haproxy.cfg http-request deny if { path_beg /admin }`
How Exploit:
Craft malicious request with path traversal sequences targeting `/realms/../admin` to bypass proxy restrictions and access the admin console.
Protection from this CVE
Update Keycloak upon patch release; reconfigure proxy (e.g., HAProxy) with strict, absolute path denial rules for /admin; implement robust path normalization at the proxy layer.
Impact:
Unauthorized access to the administrative interface, potentially leading to configuration changes and privilege escalation within the Keycloak instance.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
