GHSA-4HX9-48XH-5MXR Keycloak LDAP User Federation provider enables admin-triggered untrusted Java deserialization

A flaw was found in the Keycloak LDAP User Federation provider. This vulnerability allows an authenticated realm administrator to trigger deserialization of untrusted Java objects via a malicious LDAP server configuration. Mitigation Disable LDAP referrals in all LDAP user providers in all realms...

Keycloak LDAP User Federation provider enables admin-triggered untrusted Java deserialization

A flaw was found in the Keycloak LDAP User Federation provider. This vulnerability allows an authenticated realm administrator to trigger deserialization of untrusted Java objects via a malicious LDAP server configuration. Mitigation Disable LDAP referrals in all LDAP user providers in all realms...

Duplicate Advisory: Keycloak LDAP User Federation provider enables admin-triggered untrusted Java deserialization

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-4hx9-48xh-5mxr. This link is maintained to preserve external references. Original Description A flaw was found in the Keycloak LDAP User Federation provider. This vulnerability allows an authenticated realm...

Moderate: Red Hat Security Advisory: Red Hat build of Keycloak 26.2.11 Security Update

New Red Hat build of Keycloak 26.2.11 packages are available from the Customer Portal Red Hat build of Keycloak 26.2.11 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications. Security...

CVE-2025-13467 Org.keycloak.storage.ldap: keycloak: deserialization of untrusted data in ldap user federation

A flaw was found in the Keycloak LDAP User Federation provider. This vulnerability allows an authenticated realm administrator to trigger deserialization of untrusted Java objects via a malicious LDAP server configuration...

CVE-2025-13467

A flaw was found in the Keycloak LDAP User Federation provider. This vulnerability allows an authenticated realm administrator to trigger deserialization of untrusted Java objects via a malicious LDAP server configuration. Mitigation Mitigation for this issue is either not available or the...

EUVD-2022-3834

Malicious code in bioql PyPI...

EUVD-2022-4341

Malicious code in bioql PyPI...

CVE-2019-14910

CVE-2019-14910 affects Keycloak 7.x when LDAP user federation uses StartTLS instead of LDAPS. The documented flaw allows authentication to succeed with an invalid password due to errors in the authentication procedure, enabling potential unauthorized access. Reported by multiple sources (Red Hat ...

CVE-2019-14909

A vulnerability was found in Keycloak 7.x where the user federation LDAP bind type is none LDAP anonymous bind, any password, invalid or valid will be accepted...