Keycloak Admin API Unmanaged Attributes Endpoint Privilege Escalation Vulnerability

A vulnerability exists in the Keycloak Admin API's unmanagedAttributes endpoint, allowing administrators with limited privileges to access sensitive custom attributes. This issue arises because the endpoint does not adhere to the visibility settings defined in the User Profile, enabling the retrieval of information such as phone numbers or personal addresses that should be concealed from both users and administrators.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive user information, including custom attributes that are meant to be hidden from administrative view.

Reproduction

To reproduce this vulnerability, an administrator with the view-users role must send a request to the Keycloak Admin API's unmanagedAttributes endpoint. The target realm must have the User Profile feature enabled, with custom attributes set to restricted visibility. Once the request is made, the sensitive attributes that are supposed to be hidden will be returned, demonstrating the bypass of the visibility settings.