Duplicate Advisory: Authentication Bypass Due to Missing LDAP Bind After Password Reset in Keycloak

GHSA-m3hp-8546-5qmr

Published Jan 22, 2025 · Modified Feb 4, 2026

Description

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-2p82-5wwr-43cw. This link is maintained to preserve external references.

Original Description

A flaw was found in Keycloak. When an Active Directory user resets their password, the system updates it without performing an LDAP bind to validate the new credentials against AD. This vulnerability allows users whose AD accounts are expired or disabled to regain access in Keycloak, bypassing AD restrictions. The issue enables authentication bypass and could allow unauthorized access under certain conditions.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2025-0604
WEB https://access.redhat.com/errata/RHSA-2025:2544
WEB https://access.redhat.com/errata/RHSA-2025:2545
WEB https://access.redhat.com/security/cve/CVE-2025-0604
WEB https://bugzilla.redhat.com/show_bug.cgi?id=2338993
PACKAGE https://github.com/keycloak/keycloak

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes