Medium severity5.5OSV Advisory· Published Nov 25, 2025· Updated Apr 15, 2026
CVE-2025-13467
CVE-2025-13467
Description
A flaw was found in the Keycloak LDAP User Federation provider. This vulnerability allows an authenticated realm administrator to trigger deserialization of untrusted Java objects via a malicious LDAP server configuration.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.keycloak:keycloak-ldap-federationMaven | >= 26.3.0, < 26.4.6 | 26.4.6 |
org.keycloak:keycloak-ldap-federationMaven | < 26.2.11 | 26.2.11 |
Affected products
22- osv-coords21 versionspkg:apk/chainguard/keycloak-26.2pkg:apk/chainguard/keycloak-26.2-bitnami-compatpkg:apk/chainguard/keycloak-26.2-compatpkg:apk/chainguard/keycloak-26.2-iamguarded-compatpkg:apk/chainguard/keycloak-26.3pkg:apk/chainguard/keycloak-26.3-bitnami-compatpkg:apk/chainguard/keycloak-26.3-compatpkg:apk/chainguard/keycloak-26.3-iamguarded-compatpkg:apk/chainguard/keycloak-fips-26.2pkg:apk/chainguard/keycloak-fips-26.2-bitnami-fipspkg:apk/chainguard/keycloak-fips-26.2-iamguarded-fipspkg:apk/chainguard/keycloak-fips-26.3pkg:apk/chainguard/keycloak-fips-26.3-bitnami-fipspkg:apk/chainguard/keycloak-fips-26.3-iamguarded-fipspkg:apk/chainguard/keycloak-fips-26.3-operatorpkg:apk/chainguard/keycloak-fips-26.3-operator-compatpkg:apk/wolfi/keycloak-26.3pkg:apk/wolfi/keycloak-26.3-bitnami-compatpkg:apk/wolfi/keycloak-26.3-compatpkg:apk/wolfi/keycloak-26.3-iamguarded-compatpkg:maven/org.keycloak/keycloak-ldap-federation
< 26.2.5-r7+ 20 more
- (no CPE)range: < 26.2.5-r7
- (no CPE)range: < 26.2.5-r7
- (no CPE)range: < 26.2.5-r7
- (no CPE)range: < 26.2.5-r7
- (no CPE)range: < 26.3.5-r4
- (no CPE)range: < 26.3.5-r4
- (no CPE)range: < 26.3.5-r4
- (no CPE)range: < 26.3.5-r4
- (no CPE)range: < 26.2.5-r9
- (no CPE)range: < 26.2.5-r9
- (no CPE)range: < 26.2.5-r9
- (no CPE)range: < 26.3.5-r5
- (no CPE)range: < 26.3.5-r5
- (no CPE)range: < 26.3.5-r5
- (no CPE)range: < 26.3.5-r5
- (no CPE)range: < 26.3.5-r5
- (no CPE)range: < 26.3.5-r4
- (no CPE)range: < 26.3.5-r4
- (no CPE)range: < 26.3.5-r4
- (no CPE)range: < 26.3.5-r4
- (no CPE)range: >= 26.3.0, < 26.4.6
Patches
Vulnerability mechanics
References
13- github.com/advisories/GHSA-4hx9-48xh-5mxrghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-13467ghsaADVISORY
- access.redhat.com/errata/RHSA-2025:22088nvdWEB
- access.redhat.com/security/cve/CVE-2025-13467nvdWEB
- bugzilla.redhat.com/show_bug.cginvdWEB
- github.com/keycloak/keycloak/commit/754c070cf8ca187dcc71f0f72ff3130ff2195328nvdWEB
- github.com/keycloak/keycloak/commit/b90fec41ff17a70858d830750156a8a2e13ddb82ghsaWEB
- github.com/keycloak/keycloak/issues/44478nvdWEB
- github.com/keycloak/keycloak/releases/tag/26.4.6ghsaWEB
- github.com/keycloak/keycloak/security/advisories/GHSA-4hx9-48xh-5mxrghsaWEB
- access.redhat.com/errata/RHSA-2025:22089nvd
- access.redhat.com/errata/RHSA-2025:22090nvd
- access.redhat.com/errata/RHSA-2025:22091nvd
News mentions
0No linked articles in our index yet.