Bug 2369601 (CVE-2025-5416)

Summary:	CVE-2025-5416 keycloak-core: Keycloak Environment Information
Product:	[Other] Security Response	Reporter:	OSIDB Bzimport <bzimport>
Component:	vulnerability	Assignee:	Product Security DevOps Team <prodsec-dev>
Status:	NEW ---	QA Contact:
Severity:	low	Docs Contact:
Priority:	low
Version:	unspecified	CC:	aschwart, boliveir, mposolda, pjindal, security-response-team, ssilvert, sthorger, vmuzikar
Target Milestone:	---	Keywords:	Security
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	---
Doc Text:	A vulnerability has been identified in Keycloak that could lead to unauthorized information disclosure. While it requires an already authenticated user, the /admin/serverinfo endpoint can inadvertently provide sensitive environment information.	Story Points:	---
Clone Of:		Environment:
Last Closed:		Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2025-05-31 22:32:29 UTC

An information disclosure vulnerability has been identified in Red Hat build of Keycloak . The /admin/serverinfo endpoint contains internal server details and returns a 401 Unauthorized error when an authenticated user attempts to access it directly.

However, the vulnerability occurs when an authenticated user logs into the system or accesses the admin console. The user's browser automatically sends a request to the /admin/serverinfo endpoint.  includes sensitive server information. This response can be captured and viewed using browser developer tools or an HTTP proxy, thereby allowing any authenticated user to unintentionally access these internal server details.