Description
A flaw was found in the Keycloak Admin REST API. This vulnerability allows the exposure of backend schema and rules, potentially leading to targeted attacks or privilege escalation via improper access control.
Published: 2026-01-21
Score: 2.7 Low
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Assess Impact
AI Analysis

Impact

A flaw allows the exposure of backend schema and rule information through the Keycloak Admin REST API. The improper access control can potentially enable an attacker to gather sensitive configuration details, which could be leveraged in targeted attacks or to elevate privileges within the environment. The weakness is identified as an authority and access control flaw.

Affected Systems

Systems running Red Hat build of Keycloak version 26.4, including the 26.4.11 revision, are affected. The impacted product is identified as the Red Hat Keycloak build for Enterprise Linux 9, indicated by the corresponding CPE.

Risk and Exploitability

The CVSS score of 2.7 indicates a low severity. The EPSS score is reported as less than 1%, suggesting a very low probability of exploitation. The vulnerability is not listed in CISA's KEV catalog. Based on the description, it is inferred that the attack vector involves unauthorized or unintended access to the Keycloak Admin REST API, which may be accessible to users who lack proper administrative permissions. An attacker who can issue API requests would be able to extract backend schema details, while exploitation would be limited to information disclosure unless additional privilege escalation mechanisms exist.

Generated by OpenCVE AI on April 28, 2026 at 10:01 UTC.

Remediation

Vendor Workaround

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.

OpenCVE Recommended Actions

  • Apply the Red Hat security update RHSA‑2026:6477 or RHSA‑2026:6478 that includes the fix for this issue.
  • If immediate patching is not feasible, restrict network access to the Keycloak Admin REST API to trusted internal hosts or IP ranges to limit exposure to potential attackers.
  • Review and tighten administrator permissions, ensuring that only users with explicit authorization can query the API endpoints that expose backend schema and rule data.

Generated by OpenCVE AI on April 28, 2026 at 10:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-594w-2fwp-jwrc Keycloak Admin REST API exposes backend schema and rules
History

Thu, 02 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:build_keycloak: cpe:/a:redhat:build_keycloak:26.4::el9
References

Wed, 21 Jan 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 21 Jan 2026 12:30:00 +0000

Type Values Removed Values Added
Description No description is available for this CVE. A flaw was found in the Keycloak Admin REST API. This vulnerability allows the exposure of backend schema and rules, potentially leading to targeted attacks or privilege escalation via improper access control.
Title keycloak-server: Keycloak: Improper Access Control in Admin REST API leads to information disclosure Keycloak-server: keycloak: improper access control in admin rest api leads to information disclosure
First Time appeared Redhat
Redhat build Keycloak
CPEs cpe:/a:redhat:build_keycloak:
Vendors & Products Redhat
Redhat build Keycloak
References

Wed, 10 Dec 2025 12:15:00 +0000

Type Values Removed Values Added
Description No description is available for this CVE.
Title keycloak-server: Keycloak: Improper Access Control in Admin REST API leads to information disclosure
Weaknesses CWE-284
References
Metrics threat_severity

None

 cvssV3_1

{'score': 2.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N'}

threat_severity

Low

Subscriptions

Redhat Build Keycloak
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-04-02T16:47:15.987Z

Reserved: 2025-12-05T05:59:08.365Z

Link: CVE-2025-14083

cve-icon Vulnrichment

Updated: 2026-01-21T14:22:25.363Z

cve-icon NVD

Status : Deferred

Published: 2026-01-21T13:16:02.777

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-14083

cve-icon Redhat

Severity : Low

Publid Date: 2025-12-05T00:00:00Z

Links: CVE-2025-14083 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T10:15:28Z

Weaknesses