logo

Database

Privilege escalation In org.keycloak:keycloak-services

Description

Keycloak Admin API allows an administrator with limited privileges to retrieve sensitive custom attributes A flaw was found in Keycloak Admin API. This vulnerability allows an administrator with limited privileges to retrieve sensitive custom attributes via the /unmanagedAttributes endpoint, bypassing User Profile visibility settings.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2025-138812. NVD-2025-138813. OSV-2025-138814. GCVE-2025-138815. access.redhat.com6. access.redhat.com7. ACCESS-CVE-2025-13881

References

1. https://github.com/keycloak/keycloak/issues/458732. https://github.com/keycloak/keycloak/pull/454273. https://github.com/keycloak/keycloak/commit/1d7ab8d5fb1403902f5152820a8fc734d38b08d24. https://github.com/keycloak/keycloak/commit/c5c83d6604d4c73139f38fce3ed7b7c4c38c09f25. https://bugzilla.redhat.com/show_bug.cgi?id=2418330

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.