CVE-2025-13467
MEDIUM5.5EPSS 0.06%Keycloak LDAP User Federation provider enables admin-triggered untrusted Java deserialization
Published: 12/19/2025Modified: 2/17/2026
Also known as:GHSA-4hx9-48xh-5mxr
Description
A flaw was found in the Keycloak LDAP User Federation provider. This vulnerability allows an authenticated realm administrator to trigger deserialization of untrusted Java objects via a malicious LDAP server configuration. ### Mitigation Disable LDAP referrals in all LDAP user providers in all realms if projects cannot upgrade to the patched versions.
Affected packages (1)
- Maven/org.keycloak:keycloak-ldap-federation>= 26.3.0, < 26.4.6
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.5 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N |
References (10)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-13467
- PATCHhttps://github.com/keycloak/keycloak
- WEBhttps://access.redhat.com/errata/RHSA-2025:22088
- WEBhttps://access.redhat.com/security/cve/CVE-2025-13467
- WEBhttps://bugzilla.redhat.com/show_bug.cgi?id=2416038
- WEBhttps://github.com/keycloak/keycloak/commit/754c070cf8ca187dcc71f0f72ff3130ff2195328
- WEBhttps://github.com/keycloak/keycloak/commit/b90fec41ff17a70858d830750156a8a2e13ddb82
- WEBhttps://github.com/keycloak/keycloak/issues/44478
- WEBhttps://github.com/keycloak/keycloak/releases/tag/26.4.6
- WEBhttps://github.com/keycloak/keycloak/security/advisories/GHSA-4hx9-48xh-5mxr