CVE-2025-13881
Unknown Unknown - Not Provided
Privilege Escalation in Keycloak Admin API Exposes Sensitive Attributes

Publication date: 2026-02-02

Last updated on: 2026-02-10

Assigner: Red Hat, Inc.

Description
A flaw was found in Keycloak Admin API. This vulnerability allows an administrator with limited privileges to retrieve sensitive custom attributes via the /unmanagedAttributes endpoint, bypassing User Profile visibility settings.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-02
Last Modified
2026-02-10
Generated
2026-06-16
AI Q&A
2026-02-02
EPSS Evaluated
2026-06-14
NVD
CVE-2025-13881
EUVD
EUVD-2025-206603
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
keycloak keycloak *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-266 A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Keycloak's Admin API, specifically in the /unmanagedAttributes endpoint. It allows an administrator with limited privileges (such as those with the view-users role) to bypass User Profile visibility settings and retrieve sensitive custom user attributes that are supposed to be hidden, like phone numbers and personal addresses. This happens because the endpoint does not enforce the visibility restrictions configured in the User Profile. [1]

Impact Analysis

If exploited, this vulnerability could allow an administrator with limited privileges to access sensitive personal information of users that should be hidden. This could lead to unauthorized disclosure of private data such as phone numbers and addresses, potentially compromising user privacy and trust. [1]

Detection Guidance

This vulnerability can be detected by checking if an administrator with the view-users role can access the /unmanagedAttributes endpoint of the Keycloak Admin API and retrieve sensitive custom user attributes that should be hidden. To test this, you can use an HTTP client like curl to send a request to the /unmanagedAttributes endpoint with credentials of a user having the view-users role. For example: curl -k -H "Authorization: Bearer <access_token>" https://<keycloak-server>/auth/admin/realms/<realm>/unmanagedAttributes If sensitive custom attributes are returned despite visibility restrictions, the vulnerability is present. [1]

Mitigation Strategies

Immediate mitigation steps include restricting the assignment of the view-users role to only trusted administrators, reviewing and limiting the use of custom attributes with restricted visibility in the User Profile feature, and monitoring access to the /unmanagedAttributes endpoint. Additionally, applying any available patches or updates from Keycloak that address this issue is recommended once released. [1]

Compliance Impact

This vulnerability allows an administrator with limited privileges to access sensitive custom user attributes that are intended to be hidden, potentially exposing personal data such as phone numbers and addresses. Such unauthorized access to personal data could lead to non-compliance with data protection regulations like GDPR and HIPAA, which require strict control over access to sensitive personal information. However, the provided resources do not explicitly discuss compliance impacts. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-13881. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart