Deserialization of Untrusted Data Affecting keycloak package, versions <26.4.6-r0


Severity

Recommended
0.0
medium
0
10

Snyk's Security Team recommends NVD's CVSS assessment. Learn more

Threat Intelligence

EPSS
0.4% (32nd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-MINIMOSLATEST-KEYCLOAK-14139315
  • published28 Nov 2025
  • disclosed25 Nov 2025

Introduced: 25 Nov 2025

CVE-2025-13467  (opens in a new tab)
CWE-502  (opens in a new tab)

How to fix?

Upgrade Minimos:latest keycloak to version 26.4.6-r0 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream keycloak package and not the keycloak package as distributed by Minimos. See How to fix? for Minimos:latest relevant fixed versions and status.

A flaw was found in the Keycloak LDAP User Federation provider. This vulnerability allows an authenticated realm administrator to trigger deserialization of untrusted Java objects via a malicious LDAP server configuration.

CVSS Base Scores

version 3.1