CVE-2025-13467

A flaw was found in the Keycloak LDAP User Federation provider. This vulnerability allows an authenticated realm administrator to trigger deserialization of untrusted Java objects via a malicious LDAP server configuration.

CVSS v3 5.5 MEDIUM

5.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.3 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://access.redhat.com/errata/RHSA-2025:22088
https://access.redhat.com/errata/RHSA-2025:22089
https://access.redhat.com/errata/RHSA-2025:22090
https://access.redhat.com/errata/RHSA-2025:22091
https://access.redhat.com/security/cve/CVE-2025-13467
https://bugzilla.redhat.com/show_bug.cgi?id=2416038
https://github.com/keycloak/keycloak/commit/754c070cf8ca187dcc71f0f72ff3130ff2195328
https://github.com/keycloak/keycloak/issues/44478

Configurations

No configuration.

History

No history.

Information

Published : 2025-11-25 16:16

Updated : 2025-12-23 21:15

NVD link : CVE-2025-13467

Mitre link : CVE-2025-13467

CVE.ORG link : CVE-2025-13467

JSON object : View

Products Affected

No product.

CWE

CWE-502

Deserialization of Untrusted Data

5.5 /10