CVE-2025-13881
LOW2.7EPSS 0.01%Keycloak Admin API allows an administrator with limited privileges to retrieve sensitive custom attributes
Published: 2/2/2026Modified: 2/13/2026
Description
A flaw was found in Keycloak Admin API. This vulnerability allows an administrator with limited privileges to retrieve sensitive custom attributes via the /unmanagedAttributes endpoint, bypassing User Profile visibility settings.
Affected packages (1)
- Maven/org.keycloak:keycloak-services>= 26.5.0, < 26.5.2
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | LOW2.7 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N |
References (10)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-13881
- PATCHhttps://github.com/keycloak/keycloak
- WEBhttps://access.redhat.com/errata/RHSA-2026:2365
- WEBhttps://access.redhat.com/errata/RHSA-2026:2366
- WEBhttps://access.redhat.com/security/cve/CVE-2025-13881
- WEBhttps://bugzilla.redhat.com/show_bug.cgi?id=2418330
- WEBhttps://github.com/keycloak/keycloak/commit/1d7ab8d5fb1403902f5152820a8fc734d38b08d2
- WEBhttps://github.com/keycloak/keycloak/commit/c5c83d6604d4c73139f38fce3ed7b7c4c38c09f2
- WEBhttps://github.com/keycloak/keycloak/issues/45873
- WEBhttps://github.com/keycloak/keycloak/pull/45427