Keycloak Admin REST API Info Disclosure via /roles endpoint
CVE-2025-14082 Published on December 10, 2025
Keycloak-services: keycloak admin rest api: improper access control leads to sensitive role metadata information disclosure
A flaw was found in Keycloak Admin REST (Representational State Transfer) API. This vulnerability allows information disclosure of sensitive role metadata via insufficient authorization checks on the /admin/realms/{realm}/roles endpoint.
Vulnerability Analysis
CVE-2025-14082 is exploitable with network access, and requires user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality, a small impact on integrity and availability.
Timeline
Reported to Red Hat.
Made public.
Weakness Type
What is an Authorization Vulnerability?
The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
CVE-2025-14082 has been classified to as an Authorization vulnerability or weakness.
Products Associated with CVE-2025-14082
stack.watch emails you whenever new vulnerabilities are published in Red Hat Build Keycloak or Red Hat Keycloak. Just hit a watch button to start following.
Affected Versions
Red Hat build of Keycloak 26.4:- Version 26.4.11-1 and below * is unaffected.
- Version 26.4-14 and below * is unaffected.
- Version 26.4-14 and below * is unaffected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.