Keycloak LDAP User Federation provider enables admin-triggered untrusted Java deserialization

GHSA-4hx9-48xh-5mxr · CVE-2025-13467

Published Dec 19, 2025 · Modified Feb 17, 2026

Description

A flaw was found in the Keycloak LDAP User Federation provider. This vulnerability allows an authenticated realm administrator to trigger deserialization of untrusted Java objects via a malicious LDAP server configuration.

Mitigation

Disable LDAP referrals in all LDAP user providers in all realms if projects cannot upgrade to the patched versions.

References

WEB https://github.com/keycloak/keycloak/security/advisories/GHSA-4hx9-48xh-5mxr
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2025-13467
WEB https://github.com/keycloak/keycloak/issues/44478
WEB https://github.com/keycloak/keycloak/commit/754c070cf8ca187dcc71f0f72ff3130ff2195328
WEB https://github.com/keycloak/keycloak/commit/b90fec41ff17a70858d830750156a8a2e13ddb82
WEB https://access.redhat.com/errata/RHSA-2025:22088
WEB https://access.redhat.com/security/cve/CVE-2025-13467
WEB https://bugzilla.redhat.com/show_bug.cgi?id=2416038
PACKAGE https://github.com/keycloak/keycloak
WEB https://github.com/keycloak/keycloak/releases/tag/26.4.6

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes