RedHat Keycloak Admin REST API: Exposed Backend Schema via Improper Access Control
CVE-2025-14083 Published on January 21, 2026

Keycloak-server: keycloak: improper access control in admin rest api leads to information disclosure
A flaw was found in the Keycloak Admin REST API. This vulnerability allows the exposure of backend schema and rules, potentially leading to targeted attacks or privilege escalation via improper access control.

Vendor Advisory Vendor Advisory NVD

Vulnerability Analysis

CVE-2025-14083 can be exploited with network access, and requires user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality, a small impact on integrity and availability.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
HIGH
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
LOW
Integrity Impact:
NONE
Availability Impact:
NONE

Timeline

Reported to Red Hat.

Made public.

Weakness Type

What is an Authorization Vulnerability?

The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

CVE-2025-14083 has been classified to as an Authorization vulnerability or weakness.


Products Associated with CVE-2025-14083

Want to know whenever a new CVE is published for Red Hat Build Keycloak? stack.watch will email you.

Red Hat Build Keycloak
 

Affected Versions

Red Hat build of Keycloak 26.4: Red Hat build of Keycloak 26.4: Red Hat build of Keycloak 26.4: Red Hat build of Keycloak 26.4.11:

Exploit Probability

EPSS
0.04%
Percentile
10.95%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.