ALT Linux Team

Package keycloak update in c10f2 on 2025-12-12

ALT-PU-2025-15661-3

Package keycloak updated to version 26.4.7-alt3 for branch c10f2 in task 402471.

Closed vulnerabilities

Published: 2025-11-25
Modified: 2026-04-15

CVE-2025-13467

A flaw was found in the Keycloak LDAP User Federation provider. This vulnerability allows an authenticated realm administrator to trigger deserialization of untrusted Java objects via a malicious LDAP server configuration.

Severity: MEDIUM (5.5)Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N
References:
Published: 2025-12-20
Modified: 2026-02-17

GHSA-4hx9-48xh-5mxr

Keycloak LDAP User Federation provider enables admin-triggered untrusted Java deserialization

Severity: MEDIUM (5.5)Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N
References:
Published: 2025-11-25
Modified: 2025-12-24

GHSA-93vm-mqpw-8wh3

Duplicate Advisory: Keycloak LDAP User Federation provider enables admin-triggered untrusted Java deserialization

Severity: MEDIUM (5.5)Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N
References:
VKontakte|Telegram|YouTube|Forum|GitHub|Bugzilla
Version: 2.1.2
Back to top