CVE-2025-12150

Name of the Vulnerable Software and Affected Versions Keycloak (affected versions not specified)

Description A flaw exists in Keycloak’s WebAuthn registration component. This allows an attacker to bypass the configured attestation policy and register untrusted or forged authenticators by submitting an attestation object with fmt: "none", even when the realm is configured to require direct attestation. This can lead to weakened authentication integrity and unauthorized authenticator registration.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.