AI description
CVE-2025-13881 describes a vulnerability in Keycloak where a limited administrator can access sensitive user attributes that should otherwise be hidden. Specifically, the Keycloak Admin API's `/unmanagedAttributes` endpoint does not properly enforce the visibility configurations set within the User Profile settings. This flaw allows an administrator with restricted privileges, such as those holding the `view-users` role, to retrieve sensitive custom attributes like phone numbers or personal addresses. These attributes are explicitly configured to be hidden from both users and administrators through the graphical user interface. The vulnerability is categorized as an Incorrect Privilege Assignment (CWE-266).
- Description
- A flaw was found in Keycloak Admin API. This vulnerability allows an administrator with limited privileges to retrieve sensitive custom attributes via the /unmanagedAttributes endpoint, bypassing User Profile visibility settings.
- Source
- secalert@redhat.com
- NVD status
- Deferred
CVSS 3.1
- Type
- Secondary
- Base score
- 2.7
- Impact score
- 1.4
- Exploitability score
- 1.2
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
- Severity
- LOW
- secalert@redhat.com
- CWE-266
- Hype score
- Not currently trending
CVE-2025-13881 Keycloak Admin API Privilege Escalation via Sensitive Attribute Retrieval https://t.co/wM4iwiBiFV
@VulmonFeeds
2 Feb 2026
62 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Sharing my latest security finding: CVE-2025-13881 in #Keycloak The issue was reported through @yeswehack and affects the Keycloak Admin API, where a limited admin could access user attributes that should not be exposed. More details in the redhat advisory:
@drak3hft7
30 Jan 2026
1791 Impressions
3 Retweets
30 Likes
19 Bookmarks
1 Reply
1 Quote