CVE-2025-14083
Improper Access Control in Keycloak Admin API Exposes Backend Schema
Publication date: 2026-01-21
Last updated on: 2026-04-02
Assigner: Red Hat, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| jboss | keycloak | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an Improper Access Control flaw in the Keycloak Admin REST API. It allows a user with only low-privilege 'create-client' permission to access an endpoint that exposes internal user profile schema data, such as attribute names, validation rules, display metadata, and permission mappings. Although it does not disclose actual user account data, it leaks backend schema and configuration metadata due to insufficient authorization checks, enabling an authenticated, minimally privileged user to retrieve sensitive information remotely. [1]
How can this vulnerability impact me? :
The vulnerability can impact you by exposing backend schema and rules to low-privilege users, which could allow attackers to craft targeted attacks or attempt privilege escalation. This means that even users with minimal permissions might gain insights that help them exploit the system further, potentially compromising security. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if a user with low privileges (such as the 'create-client' permission) can access the `/admin/realms/master/users/profile` endpoint on the Keycloak Admin REST API. A practical detection method is to authenticate as a low-privilege user and attempt to send an HTTP GET request to this endpoint. For example, using curl: `curl -i -H "Authorization: Bearer <token>" https://<keycloak-server>/admin/realms/master/users/profile`. If the response returns backend schema and configuration metadata, the system is vulnerable. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the `/admin/realms/master/users/profile` endpoint to only fully authorized users, reviewing and tightening the permissions associated with the 'create-client' role to prevent access to sensitive endpoints, and applying any available patches or updates from Keycloak or your vendor that address this improper access control vulnerability. [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.