A flaw was found in the Keycloak LDAP User Federation provider. This vulnerability allows an authenticated realm administrator to trigger deserialization of untrusted Java objects via a malicious LDAP server configuration.
rhbk/keycloak Red Hat / RHEL
Fixed in: rhel9@sha256:527c210541d8669a7b08029be54f411512f14fe887d92569801e8801f8c001f5_amd64 RHSA-2025:22088 Fixed in: operator-bundle@sha256:dbebd9c370278ca9745863823ea05be8026400f70ada7650d65ef381841bfc5b_amd64 RHSA-2025:22088 Fixed in: rhel9-operator@sha256:b9525ea17de357c938972cc8c6cf78ba1fc1902901e1759908e9fcb2c0e72aed_amd64 RHSA-2025:22088 Fixed in: rhel9@sha256:8c52f172dd64c5d4a4078a3d9af16612151607332eea832c6ded4600d71c68ca_ppc64le RHSA-2025:22088 Fixed in: rhel9-operator@sha256:d7602888e037d4d5bba73f896e4537721130464ef82406c31a445701f015f93b_ppc64le RHSA-2025:22088 Fixed in: rhel9@sha256:31618f217a7d9a08945106f507dd0ca02b3850d183c4915311203423204a4c03_s390x RHSA-2025:22088 Fixed in: rhel9-operator@sha256:56c72c8a7c8fc6dc429272f50d1ca7d2c1f3c20819f86c314ecd16df7067f348_s390x RHSA-2025:22088 Fixed in: rhel9@sha256:c9da93981df5435ded6a22b5a36876c4a10f66ebc4d4f91fdd9e2084e6b60a2f_arm64 RHSA-2025:22088 Fixed in: rhel9-operator@sha256:57d64e64c4b64a802faf366d4e156d01b04c2fbb3d866b123ac4c2f82968a46f_arm64 RHSA-2025:22088 Fixed in: rhel9@sha256:710b71ca582a96e3617ca04d819bd2df428003a8c3fd9bc5f28aea45766809bd_amd64 RHSA-2025:22090 Fixed in: operator-bundle@sha256:21319807f584783e091bbd03066624d759e699e72e38f42f8e69f5d59d1ca31c_amd64 RHSA-2025:22090 Fixed in: rhel9-operator@sha256:c0dbea4bb061452767b52b634550477237495bf48600994c5efe9a5e28766a19_amd64 RHSA-2025:22090 Fixed in: rhel9@sha256:f7388968b2c6662174ebb6befe25eae4d48be2c5a684a1cabc3be79e2be3827a_ppc64le RHSA-2025:22090 Fixed in: rhel9-operator@sha256:cce8f176c7ecde1910ceeb3d814b9bf2d2d63ccbfcd5a1eb0eb83efe0d9852b2_ppc64le RHSA-2025:22090 Fixed in: rhel9@sha256:4e76367ad0340f93653ccadbb0f82c96194c28951fde84d00b146f2372c949e7_s390x RHSA-2025:22090 Fixed in: rhel9-operator@sha256:4a70c9fc5c12822bdc9dad06b0455d9b4ae847f080123856b8bf4f683933e60b_s390x RHSA-2025:22090 Fixed in: rhel9@sha256:c5d3ee80cd09b752b94f763850774b02336a8f10a9d5e3decb0d6941bae7c70c_arm64 RHSA-2025:22090 Fixed in: rhel9-operator@sha256:68f820e741c80a4cc1b1498531a40bfb4d2776bb52247d206e9ba698ef951930_arm64 RHSA-2025:22090 rhbk/keycloak Rocky
Fixed in: rhel9@sha256:527c210541d8669a7b08029be54f411512f14fe887d92569801e8801f8c001f5_amd64 RHSA-2025:22088 Fixed in: operator-bundle@sha256:dbebd9c370278ca9745863823ea05be8026400f70ada7650d65ef381841bfc5b_amd64 RHSA-2025:22088 Fixed in: rhel9-operator@sha256:b9525ea17de357c938972cc8c6cf78ba1fc1902901e1759908e9fcb2c0e72aed_amd64 RHSA-2025:22088 Fixed in: rhel9@sha256:8c52f172dd64c5d4a4078a3d9af16612151607332eea832c6ded4600d71c68ca_ppc64le RHSA-2025:22088 Fixed in: rhel9-operator@sha256:d7602888e037d4d5bba73f896e4537721130464ef82406c31a445701f015f93b_ppc64le RHSA-2025:22088 Fixed in: rhel9@sha256:31618f217a7d9a08945106f507dd0ca02b3850d183c4915311203423204a4c03_s390x RHSA-2025:22088 Fixed in: rhel9-operator@sha256:56c72c8a7c8fc6dc429272f50d1ca7d2c1f3c20819f86c314ecd16df7067f348_s390x RHSA-2025:22088 Fixed in: rhel9@sha256:c9da93981df5435ded6a22b5a36876c4a10f66ebc4d4f91fdd9e2084e6b60a2f_arm64 RHSA-2025:22088 Fixed in: rhel9-operator@sha256:57d64e64c4b64a802faf366d4e156d01b04c2fbb3d866b123ac4c2f82968a46f_arm64 RHSA-2025:22088 Fixed in: rhel9@sha256:710b71ca582a96e3617ca04d819bd2df428003a8c3fd9bc5f28aea45766809bd_amd64 RHSA-2025:22090 Fixed in: operator-bundle@sha256:21319807f584783e091bbd03066624d759e699e72e38f42f8e69f5d59d1ca31c_amd64 RHSA-2025:22090 Fixed in: rhel9-operator@sha256:c0dbea4bb061452767b52b634550477237495bf48600994c5efe9a5e28766a19_amd64 RHSA-2025:22090 Fixed in: rhel9@sha256:f7388968b2c6662174ebb6befe25eae4d48be2c5a684a1cabc3be79e2be3827a_ppc64le RHSA-2025:22090 Fixed in: rhel9-operator@sha256:cce8f176c7ecde1910ceeb3d814b9bf2d2d63ccbfcd5a1eb0eb83efe0d9852b2_ppc64le RHSA-2025:22090 Fixed in: rhel9@sha256:4e76367ad0340f93653ccadbb0f82c96194c28951fde84d00b146f2372c949e7_s390x RHSA-2025:22090 Fixed in: rhel9-operator@sha256:4a70c9fc5c12822bdc9dad06b0455d9b4ae847f080123856b8bf4f683933e60b_s390x RHSA-2025:22090 Fixed in: rhel9@sha256:c5d3ee80cd09b752b94f763850774b02336a8f10a9d5e3decb0d6941bae7c70c_arm64 RHSA-2025:22090 Fixed in: rhel9-operator@sha256:68f820e741c80a4cc1b1498531a40bfb4d2776bb52247d206e9ba698ef951930_arm64 RHSA-2025:22090 Remediation is compiled from vendor and distribution security advisories. Always confirm against the linked source for your exact version and platform.
Exploitability
Attack Vector Network
Attack Complexity Low
Privileges Required High
User Interaction None
Scope Changed
Impact
Confidentiality Low
Integrity Low
Availability None
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N
0.40% probability of exploitation in 30 days
32nd percentile
Low risk: more likely to be exploited than 32% of all known CVEs.
Other CWE-502 (Deserialization of Untrusted Data) vulnerabilities, ordered by exploit likelihood. View all
Embed a live status badge for CVE-2025-13467 Markdown
[](https://tridentstack.com/cve/CVE-2025-13467)HTML
<a href="https://tridentstack.com/cve/CVE-2025-13467"><img src="https://tridentstack.com/cve/badge/CVE-2025-13467.svg" alt="CVE-2025-13467"></a>Find and fix vulnerabilities across your fleet TridentStack Control continuously scans your Windows, macOS, and Linux fleet for known vulnerabilities, prioritizes them by severity and active exploitation, and patches them automatically.
Start free This product uses NVD data but is not endorsed or certified by the NVD. EPSS scores courtesy of FIRST.org (https://www.first.org/epss). Source: CISA KEV Catalog. Data as of 2025-12-23.