CVE-2025-14082: Keycloak Admin REST (Representational State Transfer) API does not properly enforce permissions

December 10, 2025 (updated January 8, 2026)

A flaw was found in Keycloak Admin REST (Representational State Transfer) API. This vulnerability allows information disclosure of sensitive role metadata via insufficient authorization checks on the /admin/realms/{realm}/roles endpoint.

References

access.redhat.com/security/cve/CVE-2025-14082
bugzilla.redhat.com/show_bug.cgi?id=2419078
github.com/advisories/GHSA-6q37-7866-h27j
github.com/keycloak/keycloak
github.com/keycloak/keycloak/commit/89a8cddfd669178565ae50989c49216a945d1371
nvd.nist.gov/vuln/detail/CVE-2025-14082

Code Behaviors & Features

Detect and mitigate CVE-2025-14082 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →