diff --git a/services/src/main/java/org/keycloak/vault/FilesPlainTextVaultProvider.java b/services/src/main/java/org/keycloak/vault/FilesPlainTextVaultProvider.java
index 8f24948980b..5b835ed2df5 100644
--- a/services/src/main/java/org/keycloak/vault/FilesPlainTextVaultProvider.java
+++ b/services/src/main/java/org/keycloak/vault/FilesPlainTextVaultProvider.java
@@ -50,7 +50,7 @@ public class FilesPlainTextVaultProvider extends AbstractVaultProvider {
 
     @Override
     protected VaultRawSecret obtainSecretInternal(String vaultSecretId) {
-        Path secretPath = vaultPath.resolve(vaultSecretId);
+        Path secretPath = vaultPath.resolve(vaultSecretId).normalize();
         if (!Files.exists(secretPath)) {
             logger.warnf("Cannot find secret %s in %s", vaultSecretId, secretPath);
             return DefaultVaultRawSecret.forBuffer(Optional.empty());
@@ -69,13 +69,16 @@ public class FilesPlainTextVaultProvider extends AbstractVaultProvider {
         if (!super.validate(resolver, key, resolvedKey)) {
             return false;
         }
-        Path secretPath = vaultPath.resolve(resolvedKey);
+        Path secretPath = vaultPath.resolve(resolvedKey).normalize();
 
         Path expectedPath = vaultPath;
         if (resolver == AbstractVaultProviderFactory.AvailableResolvers.REALM_FILESEPARATOR_KEY.getVaultKeyResolver()) {
             expectedPath = expectedPath.resolve(realm);
         }
-        if (!secretPath.getParent().equals(expectedPath)) {
+        expectedPath = expectedPath.normalize();
+
+        Path parent = secretPath.getParent();
+        if (parent == null || !parent.equals(expectedPath)) {
             logger.warnf("Path traversal attempt detected in secret %s.", key);
             return false;
         }