Nixpkgs security tracker

Permalink CVE-2025-13881

2.7 LOW

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Privileges Required (PR): High (H)
User Interaction (UI): None (N)
Scope (S): Unchanged (U)
Confidentiality (C): Low (L)
Integrity (I): None (N)
Availability (A): None (N)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Privileges Required (MPR): High (H)
Modified User Interaction (MUI): None (N)
Modified Confidentiality (MC): Low (L)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): None (N)
Modified Availability (MA): None (N)

updated 4 months, 2 weeks ago by @jopejoe1 Activity log

Created suggestion 4 months, 2 weeks ago
@jopejoe1 ignored
5 packages
- terraform-providers.keycloak
- python312Packages.python-keycloak
- python313Packages.python-keycloak
- python314Packages.python-keycloak
- terraform-providers.keycloak_keycloak
4 months, 2 weeks ago

Org.keycloak.services.resources.admin: keycloak: limited administrator can retrieve sensitive user attributes via admin api

A flaw was found in Keycloak Admin API. This vulnerability allows an administrator with limited privileges to retrieve sensitive custom attributes via the /unmanagedAttributes endpoint, bypassing User Profile visibility settings.

References

https://access.redhat.com/security/cve/CVE-2025-13881 x_refsource_REDHATvdb-entry
RHBZ#2418330 issue-trackingx_refsource_REDHAT
RHSA-2026:2365 x_refsource_REDHATvendor-advisory
RHSA-2026:2366 x_refsource_REDHATvendor-advisory

Affected products

keycloak

rhbk/keycloak-rhel9

rhbk/keycloak-rhel9-operator

rhbk/keycloak-operator-bundle

Matching in nixpkgs

pkgs.keycloak

Identity and access management for modern applications and services

nixos-unstable 26.4.5
- nixpkgs-unstable 26.5.2
- nixos-unstable-small 26.5.2

Ignored packages (5)

pkgs.terraform-providers.keycloak

None

pkgs.python312Packages.python-keycloak

None

nixos-unstable 4.0.0

pkgs.python313Packages.python-keycloak

Provides access to the Keycloak API

nixos-unstable 4.0.0
- nixpkgs-unstable 4.0.0
- nixos-unstable-small 4.0.0

pkgs.python314Packages.python-keycloak

Provides access to the Keycloak API

nixos-unstable -
- nixpkgs-unstable 4.0.0
- nixos-unstable-small 4.0.0

pkgs.terraform-providers.keycloak_keycloak

None

nixos-unstable 5.5.0
- nixpkgs-unstable 5.6.0
- nixos-unstable-small 5.6.0

Package maintainers

@leona-ya Leona Maroni <nix@leona.is>
@talyz Kim Lindberger <kim.lindberger@gmail.com>
@jefferyoo Jeffery Oo <oojefferywm@proton.me>
@ngerstle Nicholas Gerstle <ngerstle@gmail.com>
@NickCao Nick Cao <nickcao@nichi.co>
@kritdass Krit Dass <dasskrit@gmail.com>
@ap-1 Anish Pallati <i@anish.land>

Permalink CVE-2025-5416

2.7 LOW

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Privileges Required (PR): High (H)
User Interaction (UI): None (N)
Scope (S): Unchanged (U)
Confidentiality (C): Low (L)
Integrity (I): None (N)
Availability (A): None (N)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Privileges Required (MPR): High (H)
Modified User Interaction (MUI): None (N)
Modified Confidentiality (MC): Low (L)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): None (N)
Modified Availability (MA): None (N)

updated 7 months, 2 weeks ago by @LeSuisse Activity log

Created suggestion 9 months ago
@LeSuisse ignored
3 packages
- terraform-providers.keycloak
- python312Packages.python-keycloak
- python313Packages.python-keycloak
7 months, 2 weeks ago

Keycloak-core: keycloak environment information

A vulnerability has been identified in Keycloak that could lead to unauthorized information disclosure. While it requires an already authenticated user, the /admin/serverinfo endpoint can inadvertently provide sensitive environment information.

References

https://access.redhat.com/security/cve/CVE-2025-5416 x_refsource_REDHATvdb-entry
RHBZ#2369601 issue-trackingx_refsource_REDHAT

Affected products

keycloak

Matching in nixpkgs

pkgs.keycloak

Identity and access management for modern applications and services

nixos-unstable -
- nixpkgs-unstable 26.3.4

Ignored packages (3)

pkgs.terraform-providers.keycloak

None

nixos-unstable -
- nixpkgs-unstable 5.4.0

pkgs.python312Packages.python-keycloak

Provides access to the Keycloak API

nixos-unstable -
- nixpkgs-unstable 4.0.0

pkgs.python313Packages.python-keycloak

Provides access to the Keycloak API

nixos-unstable -
- nixpkgs-unstable 4.0.0

Package maintainers

@ngerstle Nicholas Gerstle <ngerstle@gmail.com>
@leona-ya Leona Maroni <nix@leona.is>
@NickCao Nick Cao <nickcao@nichi.co>
@talyz Kim Lindberger <kim.lindberger@gmail.com>

Suggestions search

References

Affected products

Matching in nixpkgs

pkgs.keycloak

pkgs.terraform-providers.keycloak

pkgs.python312Packages.python-keycloak

pkgs.python313Packages.python-keycloak

pkgs.python314Packages.python-keycloak

pkgs.terraform-providers.keycloak_keycloak

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.keycloak

pkgs.terraform-providers.keycloak

pkgs.python312Packages.python-keycloak

pkgs.python313Packages.python-keycloak

Package maintainers