CVE-2025-13881
📋 TL;DR
This vulnerability allows Keycloak administrators with limited privileges to access sensitive custom user attributes that should be hidden by User Profile visibility settings. The flaw exists in the Admin API's /unmanagedAttributes endpoint, enabling privilege escalation through information disclosure. Only Keycloak deployments with custom user attributes and role-based access controls are affected.
💻 Affected Systems
- Keycloak
⚠️ Risk & Real-World Impact
Worst Case
Administrators with minimal privileges could access highly sensitive custom attributes (like PII, credentials, or internal identifiers) for all users, leading to data breaches and privilege escalation.
Likely Case
Limited administrators inadvertently or intentionally access custom attributes they shouldn't see, violating data segregation policies and potentially exposing sensitive business information.
If Mitigated
With proper role-based access controls and attribute visibility settings, impact is limited to authorized administrators accessing only attributes they need for their duties.
🎯 Exploit Status
Exploitation requires authenticated administrator access with any privilege level. Attack involves simple API calls to the /unmanagedAttributes endpoint.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Red Hat advisory for specific fixed version
Vendor Advisory: https://access.redhat.com/security/cve/CVE-2025-13881
Restart Required: Yes
Instructions:
1. Check Red Hat advisory for fixed Keycloak version. 2. Backup configuration and data. 3. Apply vendor-provided patch or upgrade to fixed version. 4. Restart Keycloak service. 5. Verify fix by testing attribute visibility controls.
🔧 Temporary Workarounds
Restrict Admin API Access
allLimit network access to Keycloak Admin API endpoints
# Configure firewall rules to restrict access to Keycloak Admin API (port 8080/8443 by default) to trusted IPs only
Review and Limit Custom Attributes
allAudit and minimize sensitive custom attributes stored in user profiles
# Review Keycloak user profile configuration and remove unnecessary sensitive custom attributes
🧯 If You Can't Patch
- Implement strict role-based access controls and audit administrator activities
- Monitor and alert on suspicious access patterns to /unmanagedAttributes endpoint
🔍 How to Verify
Check if Vulnerable:
Test if limited-privilege administrators can access custom attributes via /auth/admin/realms/{realm}/users/{user_id}/unmanagedAttributes endpoint that should be hidden by User Profile settings.Check Version:
# For Keycloak standalone: check keycloak-server.log or admin console
# For containerized: docker exec <container> /opt/keycloak/bin/kc.sh --versionVerify Fix Applied:
After patching, verify that User Profile visibility settings are properly enforced and limited administrators cannot access restricted custom attributes.📡 Detection & Monitoring
Log Indicators:
- Unusual access patterns to /unmanagedAttributes endpoint
- Administrator accounts accessing custom attributes outside their normal scope
Network Indicators:
- HTTP requests to /auth/admin/realms/*/users/*/unmanagedAttributes from unexpected sources
SIEM Query:
source="keycloak" AND (url_path="/unmanagedAttributes" OR message="*unmanagedAttributes*")