Keycloak LDAP Federation Deserialization via Malicious LDAP (CVE-2025-13467)
CVE-2025-13467 Published on November 25, 2025

Org.keycloak.storage.ldap: keycloak: deserialization of untrusted data in ldap user federation
A flaw was found in the Keycloak LDAP User Federation provider. This vulnerability allows an authenticated realm administrator to trigger deserialization of untrusted Java objects via a malicious LDAP server configuration.

Github Repository Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory NVD

Vulnerability Analysis

CVE-2025-13467 can be exploited with network access, and requires user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality and integrity, and no impact on availability.

Attack Vector:

NETWORK

Attack Complexity:

LOW

Privileges Required:

HIGH

User Interaction:

NONE

Scope:

CHANGED

Confidentiality Impact:

LOW

Integrity Impact:

LOW

Availability Impact:

NONE

Timeline

2025-11-20

Reported to Red Hat.

2025-11-25

Made public. 5 days later.

Weakness Type

What is a Marshaling, Unmarshaling Vulnerability?

The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

CVE-2025-13467 has been classified to as a Marshaling, Unmarshaling vulnerability or weakness.

Products Associated with CVE-2025-13467

stack.watch emails you whenever new vulnerabilities are published in Red Hat Build Keycloak or Red Hat Keycloak. Just hit a watch button to start following.

Red Hat Build Keycloak

Red Hat Keycloak

Affected Versions

Keycloak:

Before 26.4.6 is affected.

Red Hat build of Keycloak 26.2:

Version 26.2.11-1 and below * is unaffected.

Red Hat build of Keycloak 26.2:

Version 26.2-12 and below * is unaffected.

Red Hat build of Keycloak 26.2:

Version 26.2-12 and below * is unaffected.

Red Hat build of Keycloak 26.2.11: Red Hat build of Keycloak 26.4:

Version 26.4.6-1 and below * is unaffected.

Red Hat build of Keycloak 26.4:

Version 26.4-6 and below * is unaffected.

Red Hat build of Keycloak 26.4:

Version 26.4-5 and below * is unaffected.

Red Hat build of Keycloak 26.4.6:

Vulnerable Packages

The following package name and versions may be associated with CVE-2025-13467

Package Manager	Vulnerable Package	Versions	Fixed In
maven	org.keycloak:keycloak-ldap-federation	< 26.4.6	26.4.6

Exploit Probability

EPSS

0.02%

Percentile

6.09%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.

Keycloak LDAP Federation Deserialization via Malicious LDAP (CVE-2025-13467)CVE-2025-13467 Published on November 25, 2025

Vulnerability Analysis

Timeline

Weakness Type

What is a Marshaling, Unmarshaling Vulnerability?

Products Associated with CVE-2025-13467

Affected Versions

Vulnerable Packages

Exploit Probability

Keycloak LDAP Federation Deserialization via Malicious LDAP (CVE-2025-13467)
CVE-2025-13467 Published on November 25, 2025