Red Hat Keycloak /unmanagedAttributes API Endpoint Improper User Profile Setting Enforcement Remote Custom Attribute Disclosure. Red Hat Keycloak contains a flaw in the /unmanagedAttributes API endpoint as the visibility configuration defined in the User Profile settings is not properly enforced.

This may allow an authenticated remote attacker to disclose sensitive custom attributes such as phone numbers or personal addresses that are configured to be hidden from users and administrators.

CVSS Score: 3.5               
CVE-ID:    CVE-2025-13881
Communication Date: 2/3/2026
Target Remediation Date: 9/1/2026
Alert Publication Date:    1/29/2026

Devtest 10.8

IAM component

Product team confirmed that, this will be addressed in Devtest 10.9.1 release.