CVE-2025-13881 Overview
A security flaw has been identified in the Keycloak Admin API that enables administrators with limited privileges to access sensitive custom user attributes through the /unmanagedAttributes endpoint. This vulnerability allows bypassing the User Profile visibility settings that are designed to restrict access to sensitive information, representing an Incorrect Privilege Assignment weakness (CWE-266).
Critical Impact
Privileged administrators can bypass User Profile visibility controls to retrieve sensitive custom attributes, potentially exposing confidential user data that should be protected by access controls.
Affected Products
- Keycloak (specific versions not disclosed in advisory)
- Red Hat Single Sign-On (SSO) deployments using Keycloak
- Identity and Access Management systems built on Keycloak
Discovery Timeline
- 2026-02-02 - CVE-2025-13881 published to NVD
- 2026-02-03 - Last updated in NVD database
Technical Details for CVE-2025-13881
Vulnerability Analysis
This vulnerability represents an Incorrect Privilege Assignment flaw within Keycloak's Admin API. The issue arises when administrators with restricted privileges access the /unmanagedAttributes endpoint, which fails to properly enforce the User Profile visibility settings configured for custom attributes.
In Keycloak, administrators can define custom user attributes and configure visibility settings through User Profiles to control which attributes should be accessible to different administrative roles. However, the /unmanagedAttributes endpoint does not properly validate these visibility constraints, allowing lower-privileged administrators to retrieve attribute data that should be hidden from their view.
The attack is network-accessible and requires high privileges (administrator-level access), though the attacker need not have full administrative rights. The successful exploitation results in confidentiality impact where sensitive custom attribute values can be disclosed to unauthorized administrative users.
Root Cause
The root cause lies in the Keycloak Admin API's failure to apply User Profile visibility settings when processing requests to the /unmanagedAttributes endpoint. While the main user attribute retrieval endpoints respect these visibility controls, the unmanaged attributes endpoint bypasses this authorization check, creating an inconsistent security enforcement across the API surface.
Attack Vector
The vulnerability is exploited over the network by an authenticated administrator with limited privileges. The attacker must:
- Obtain valid administrator credentials with restricted permissions in a Keycloak realm
- Send API requests to the /unmanagedAttributes endpoint targeting user resources
- Retrieve custom attribute values that should be restricted based on User Profile visibility settings
The attack does not require user interaction and has low complexity once administrative access is obtained. However, the scope is unchanged, meaning the vulnerability only affects the Keycloak system itself and does not propagate to other components.
For technical details on the vulnerability mechanism, refer to the Red Hat CVE Advisory and Red Hat Bug Report #2418330.
Detection Methods for CVE-2025-13881
Indicators of Compromise
- Unusual API requests to /unmanagedAttributes endpoints from administrator accounts with restricted privileges
- Access log entries showing repeated queries for user attributes by administrators who should not have visibility to those attributes
- Audit trail showing attribute data access that violates configured User Profile visibility policies
Detection Strategies
- Monitor Keycloak Admin API logs for requests to the /unmanagedAttributes endpoint and correlate with the requesting administrator's privilege level
- Implement alerting on API access patterns where restricted administrators access sensitive user attribute endpoints
- Review Keycloak audit logs for attribute retrieval activities that don't align with configured visibility settings
Monitoring Recommendations
- Enable detailed Keycloak audit logging for all Admin API operations, particularly those involving user attribute access
- Configure SIEM rules to detect privilege-related anomalies in administrative API usage patterns
- Regularly audit administrator accounts and their access to sensitive endpoints to identify potential abuse
How to Mitigate CVE-2025-13881
Immediate Actions Required
- Review all administrator accounts and restrict privileges to the minimum required for their roles
- Audit current access to the /unmanagedAttributes endpoint and identify any unauthorized attribute retrievals
- Implement additional network-level access controls to limit which administrators can reach sensitive Admin API endpoints
- Monitor for any updated patches or advisories from Red Hat regarding Keycloak
Patch Information
Consult the Red Hat CVE Advisory for the latest patch information and remediation guidance. Organizations should apply vendor-provided patches as soon as they become available and follow Red Hat's security bulletin for Keycloak updates.
Workarounds
- Implement strict role-based access control to limit which administrators can access the Admin API
- Use network segmentation to restrict access to Keycloak Admin API endpoints from untrusted networks
- Review and minimize the number of custom attributes containing sensitive data that could be exposed through this vulnerability
- Consider implementing API gateway controls to filter or block requests to the /unmanagedAttributes endpoint for non-full administrators
# Example: Review Keycloak admin events for suspicious attribute access
# Check admin-events log for unmanagedAttributes endpoint access
grep -i "unmanagedAttributes" /var/log/keycloak/admin-events.log
# Audit current realm administrators and their assigned roles
/opt/keycloak/bin/kcadm.sh get users -r your-realm --fields username,realmRoles
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
