logo

Database

Insecure deserialization In org.keycloak:keycloak-ldap-federation

Description

Duplicate Advisory: Keycloak LDAP User Federation provider enables admin-triggered untrusted Java deserialization

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-4hx9-48xh-5mxr. This link is maintained to preserve external references.

Original Description

A flaw was found in the Keycloak LDAP User Federation provider. This vulnerability allows an authenticated realm administrator to trigger deserialization of untrusted Java objects via a malicious LDAP server configuration.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. NVD-2025-134672. GCVE-GHSA-93vm-mqpw-8wh33. access.redhat.com4. access.redhat.com5. access.redhat.com6. access.redhat.com7. ACCESS-CVE-2025-13467

References

1. https://github.com/keycloak/keycloak/issues/444782. https://github.com/keycloak/keycloak/commit/754c070cf8ca187dcc71f0f72ff3130ff21953283. https://bugzilla.redhat.com/show_bug.cgi?id=24160384. https://github.com/keycloak/keycloak/releases/tag/26.4.6

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.