Keycloak, Improper Access Control, CVE-2024-??? (Low)

Listen to this Post

This vulnerability exploits a misalignment between the Keycloak Admin REST API’s `/unmanagedAttributes` endpoint and the configurable User Profile. An administrator with limited privileges, such as only managing realm roles, can craft a GET request to this endpoint for a target user. The endpoint returns all user attributes stored on the Keycloak server-side UserModel object. Crucially, this bypasses the declarative User Profile configuration, which is designed to restrict the visibility of sensitive custom attributes (e.g., SSN, internal_id) based on viewer permissions. The API fails to filter the response according to these profile visibility rules, leaking attribute data the admin is not authorized to see. The attack requires an authenticated admin session but not full super-user rights, representing a privilege escalation within the admin console that leads to unauthorized information disclosure.
Platform: Keycloak
Version: Not specified
Vulnerability: Sensitive data exposure
Severity: Low
date: 2026-02-02

Prediction: Patch Q1 2026

What Undercode Say:

curl -H "Authorization: Bearer $ADMIN_TOKEN" https://keycloak-host/admin/realms/master/users/TARGET_USER_ID/unmanagedAttributes
grep -r "unmanagedAttributes" /keycloak/source/
// Example UserModel getAttribute call
user.getAttributes().get("confidential_attribute");

How Exploit:

1. Attacker obtains low-privilege admin credentials.

2. Attacker identifies target user ID.

3. Attacker queries the vulnerable `/unmanagedAttributes` endpoint.

  1. Attacker extracts all custom attributes from the JSON response.

Protection from this CVE

Apply vendor patch.

Review admin privileges.

Enforce User Profile configuration.

Impact:

Sensitive attribute disclosure.

Privacy regulation violation.

Limited privilege escalation.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top