Duplicate Advisory: Keycloak LDAP User Federation provider enables admin-triggered untrusted Java deserialization

GHSA-93vm-mqpw-8wh3

Published Nov 25, 2025 · Modified Feb 4, 2026

Description

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-4hx9-48xh-5mxr. This link is maintained to preserve external references.

Original Description

A flaw was found in the Keycloak LDAP User Federation provider. This vulnerability allows an authenticated realm administrator to trigger deserialization of untrusted Java objects via a malicious LDAP server configuration.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2025-13467
WEB https://github.com/keycloak/keycloak/issues/44478
WEB https://github.com/keycloak/keycloak/commit/754c070cf8ca187dcc71f0f72ff3130ff2195328
WEB https://access.redhat.com/errata/RHSA-2025:22088
WEB https://access.redhat.com/errata/RHSA-2025:22089
WEB https://access.redhat.com/errata/RHSA-2025:22090
WEB https://access.redhat.com/errata/RHSA-2025:22091
WEB https://access.redhat.com/security/cve/CVE-2025-13467
WEB https://bugzilla.redhat.com/show_bug.cgi?id=2416038
PACKAGE https://github.com/keycloak/keycloak
WEB https://github.com/keycloak/keycloak/releases/tag/26.4.6

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes