Keycloak LDAP User Federation provider enables admin-triggered untrusted Java deserialization
Moderate severity
GitHub Reviewed
Published
Nov 25, 2025
to the GitHub Advisory Database
•
Updated Nov 26, 2025
Package
Affected versions
< 26.4.6
Patched versions
26.4.6
Description
Published by the National Vulnerability Database
Nov 25, 2025
Published to the GitHub Advisory Database
Nov 25, 2025
Reviewed
Nov 26, 2025
Last updated
Nov 26, 2025
A flaw was found in the Keycloak LDAP User Federation provider. This vulnerability allows an authenticated realm administrator to trigger deserialization of untrusted Java objects via a malicious LDAP server configuration.
References