logo

Database

Insecure deserialization In org.keycloak:keycloak-ldap-federation

Description

Keycloak LDAP User Federation provider enables admin-triggered untrusted Java deserialization A flaw was found in the Keycloak LDAP User Federation provider. This vulnerability allows an authenticated realm administrator to trigger deserialization of untrusted Java objects via a malicious LDAP server configuration.

Mitigation

Disable LDAP referrals in all LDAP user providers in all realms if projects cannot upgrade to the patched versions.

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2025-134672. NVD-2025-134673. OSV-2025-134674. GHSA-4hx9-48xh-5mxr5. GCVE-2025-134676. access.redhat.com7. ACCESS-CVE-2025-13467

References

1. https://github.com/keycloak/keycloak/security/advisories/GHSA-4hx9-48xh-5mxr2. https://github.com/keycloak/keycloak/issues/444783. https://github.com/keycloak/keycloak/commit/754c070cf8ca187dcc71f0f72ff3130ff21953284. https://github.com/keycloak/keycloak/commit/b90fec41ff17a70858d830750156a8a2e13ddb825. https://bugzilla.redhat.com/show_bug.cgi?id=24160386. https://github.com/keycloak/keycloak/releases/tag/26.4.6

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.