CVE-2025-13881
Privilege Escalation in Keycloak Admin API Exposes Sensitive Attributes
Publication date: 2026-02-02
Last updated on: 2026-02-10
Assigner: Red Hat, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| keycloak | keycloak | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-266 | A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Keycloak's Admin API, specifically in the /unmanagedAttributes endpoint. It allows an administrator with limited privileges (such as those with the view-users role) to bypass User Profile visibility settings and retrieve sensitive custom user attributes that are supposed to be hidden, like phone numbers and personal addresses. This happens because the endpoint does not enforce the visibility restrictions configured in the User Profile. [1]
How can this vulnerability impact me? :
If exploited, this vulnerability could allow an administrator with limited privileges to access sensitive personal information of users that should be hidden. This could lead to unauthorized disclosure of private data such as phone numbers and addresses, potentially compromising user privacy and trust. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if an administrator with the view-users role can access the /unmanagedAttributes endpoint of the Keycloak Admin API and retrieve sensitive custom user attributes that should be hidden. To test this, you can use an HTTP client like curl to send a request to the /unmanagedAttributes endpoint with credentials of a user having the view-users role. For example: curl -k -H "Authorization: Bearer <access_token>" https://<keycloak-server>/auth/admin/realms/<realm>/unmanagedAttributes If sensitive custom attributes are returned despite visibility restrictions, the vulnerability is present. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting the assignment of the view-users role to only trusted administrators, reviewing and limiting the use of custom attributes with restricted visibility in the User Profile feature, and monitoring access to the /unmanagedAttributes endpoint. Additionally, applying any available patches or updates from Keycloak that address this issue is recommended once released. [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an administrator with limited privileges to access sensitive custom user attributes that are intended to be hidden, potentially exposing personal data such as phone numbers and addresses. Such unauthorized access to personal data could lead to non-compliance with data protection regulations like GDPR and HIPAA, which require strict control over access to sensitive personal information. However, the provided resources do not explicitly discuss compliance impacts. [1]