CVE-2025-13881: Keycloak Admin API allows an administrator with limited privileges to retrieve sensitive custom attributes
A flaw was found in Keycloak Admin API. This vulnerability allows an administrator with limited privileges to retrieve sensitive custom attributes via the /unmanagedAttributes endpoint, bypassing User Profile visibility settings.
References
- access.redhat.com/security/cve/CVE-2025-13881
- bugzilla.redhat.com/show_bug.cgi?id=2418330
- github.com/advisories/GHSA-g78x-7vwx-9f58
- github.com/keycloak/keycloak
- github.com/keycloak/keycloak/commit/c5c83d6604d4c73139f38fce3ed7b7c4c38c09f2
- github.com/keycloak/keycloak/issues/45873
- github.com/keycloak/keycloak/pull/45427
- nvd.nist.gov/vuln/detail/CVE-2025-13881
Code Behaviors & Features
Detect and mitigate CVE-2025-13881 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →