Bug 2418330 (CVE-2025-13881)

Summary: CVE-2025-13881 org.keycloak.services.resources.admin: Keycloak: Limited administrator can retrieve sensitive user attributes via Admin API
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: anthomas, aschwart, boliveir, eglynn, ehelms, ggainey, jjoyce, jschluet, juwatts, lhh, mburns, mgarciac, mhulan, mposolda, nmoumoul, osousa, pcreech, pjindal, rchan, rmartinc, security-response-team, smallamp, ssilvert, sthorger, tmalecek, vmuzikar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in Keycloak Admin API. This vulnerability allows an administrator with limited privileges to retrieve sensitive custom attributes via the /unmanagedAttributes endpoint, bypassing User Profile visibility settings.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Deadline: 2026-03-04   

Description OSIDB Bzimport 2025-12-02 14:02:21 UTC 
The Keycloak Admin API (/unmanagedAttributes) endpoint fails to respect the visibility configuration defined in the User Profile settings. This allows an administrator with limited privileges (specifically the view-users role) to retrieve sensitive custom attributes—such as phone numbers or personal addresses—that are explicitly configured to be hidden from both users and administrators in the GUI.

Requirements to exploit

The attacker must have a valid account on the realm.
The attacker must have the view-users role (considered an admin privilege).
The target realm must use the User Profile feature with custom attributes set to restricted visibility.
Component affected: org.keycloak.services.resources.admin