CVE-2025-14082

LOW
2025-12-10 [email protected]
Information Disclosure
2.7
CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

3
Patch Released
Apr 02, 2026 - 14:30 nvd
Patch available
Analysis Generated
Apr 02, 2026 - 14:22 vuln.today
CVE Published
Dec 10, 2025 - 09:15 nvd
LOW 2.7

DescriptionNVD

A flaw was found in Keycloak Admin REST (Representational State Transfer) API. This vulnerability allows information disclosure of sensitive role metadata via insufficient authorization checks on the /admin/realms/{realm}/roles endpoint.

AnalysisAI

Keycloak Admin REST API discloses sensitive role metadata through insufficient authorization checks on the /admin/realms/{realm}/roles endpoint, allowing high-privileged authenticated users to access role information they should not have permission to view. With a CVSS score of 2.7 and EPSS of 0.01%, this is a low-severity information disclosure affecting confidentiality only; no public exploit identified at time of analysis.

Technical ContextAI

Keycloak's Admin REST API implements role-based access control for administrative operations. The vulnerability stems from CWE-284 (Improper Access Control), where the /admin/realms/{realm}/roles endpoint fails to properly validate authorization permissions before returning sensitive role metadata. This affects the role management API layer in Keycloak, where high-privileged administrators (PR:H in CVSS vector) can query and view role information beyond their delegated scope. The flaw is specific to REST API authorization logic rather than a cryptographic or network-level issue, as evidenced by the AV:N/AC:L/PR:H/UI:N vector indicating network-accessible functionality requiring high privileges with no additional complexity.

Affected ProductsAI

Keycloak Admin REST API is affected. Specific version ranges are not explicitly stated in the provided references, but Red Hat has released patches via RHSA-2026:6477 and RHSA-2026:6478. The vulnerability applies to Keycloak instances exposing the Admin REST API with role-based authorization enforcement. Consult Red Hat's errata and CVE detail page at https://access.redhat.com/security/cve/CVE-2025-14082 for precise affected versions and distribution-specific guidance.

RemediationAI

Apply the vendor-released patch provided via Red Hat Security Advisory (consult https://access.redhat.com/errata/RHSA-2026:6477 and https://access.redhat.com/errata/RHSA-2026:6478 for exact version numbers and deployment steps). The patch addresses insufficient authorization checks in the /admin/realms/{realm}/roles endpoint. As an interim control, restrict network or administrative access to Keycloak's Admin REST API to only trusted administrators and audit-log all role-related API queries. Verify authorization rules are properly applied to role metadata endpoints after patching.

Share

CVE-2025-14082 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy