CVE-2025-14082 PUBLISHED

Keycloak-services: keycloak admin rest api: improper access control leads to sensitive role metadata information disclosure

Assigner: redhat
Reserved: 05.12.2025 Published: 10.12.2025 Updated: 16.01.2026

A flaw was found in Keycloak Admin REST (Representational State Transfer) API. This vulnerability allows information disclosure of sensitive role metadata via insufficient authorization checks on the /admin/realms/{realm}/roles endpoint.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
CVSS Score: 2.7

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	Low
Privileges Required	High	Integrity Impact	None
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	Red Hat
Product	Red Hat Build of Keycloak
Versions	Default: affected

Workarounds

Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

Credits

Red Hat would like to thank Muhammad Usman (HackerSSG) (securetackles) for reporting this issue.

References

Problem Types

Improper Access Control CWE