CVE-2025-14083
Unknown Unknown - Not Provided
Improper Access Control in Keycloak Admin API Exposes Backend Schema

Publication date: 2026-01-21

Last updated on: 2026-04-02

Assigner: Red Hat, Inc.

Description
A flaw was found in the Keycloak Admin REST API. This vulnerability allows the exposure of backend schema and rules, potentially leading to targeted attacks or privilege escalation via improper access control.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-21
Last Modified
2026-04-02
Generated
2026-06-16
AI Q&A
2026-01-21
EPSS Evaluated
2026-06-15
NVD
CVE-2025-14083
EUVD
EUVD-2026-3683
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
jboss keycloak *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is an Improper Access Control flaw in the Keycloak Admin REST API. It allows a user with only low-privilege 'create-client' permission to access an endpoint that exposes internal user profile schema data, such as attribute names, validation rules, display metadata, and permission mappings. Although it does not disclose actual user account data, it leaks backend schema and configuration metadata due to insufficient authorization checks, enabling an authenticated, minimally privileged user to retrieve sensitive information remotely. [1]

Impact Analysis

The vulnerability can impact you by exposing backend schema and rules to low-privilege users, which could allow attackers to craft targeted attacks or attempt privilege escalation. This means that even users with minimal permissions might gain insights that help them exploit the system further, potentially compromising security. [1]

Detection Guidance

This vulnerability can be detected by checking if a user with low privileges (such as the 'create-client' permission) can access the `/admin/realms/master/users/profile` endpoint on the Keycloak Admin REST API. A practical detection method is to authenticate as a low-privilege user and attempt to send an HTTP GET request to this endpoint. For example, using curl: `curl -i -H "Authorization: Bearer <token>" https://<keycloak-server>/admin/realms/master/users/profile`. If the response returns backend schema and configuration metadata, the system is vulnerable. [1]

Mitigation Strategies

Immediate mitigation steps include restricting access to the `/admin/realms/master/users/profile` endpoint to only fully authorized users, reviewing and tightening the permissions associated with the 'create-client' role to prevent access to sensitive endpoints, and applying any available patches or updates from Keycloak or your vendor that address this improper access control vulnerability. [1]

Compliance Impact

The provided information does not specify how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-14083. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart