CVE-2025-14777
IDOR Vulnerability in Keycloak Admin API Enables Cross-Client Resource Manipulation
Publication date: 2025-12-16
Last updated on: 2026-04-02
Assigner: Red Hat, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| keycloak | keycloak | 3.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-289 | The product performs authentication based on the name of a resource being accessed, or the name of the actor performing the access, but it does not properly check all possible names for that resource or actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an Insecure Direct Object Reference (IDOR) in Keycloak's admin API endpoints for authorization resource management. It occurs because the system checks authorization using the client ID provided in the API request, but the backend database operations only use the resource ID without verifying the client association. As a result, an authenticated attacker with admin permissions for one client can delete or modify resources belonging to another client within the same realm by supplying a valid resource ID from that other client. [1]
How can this vulnerability impact me? :
This vulnerability can allow an attacker who has admin permissions for one client to delete or modify resources of another client within the same realm. This could lead to unauthorized data modification or deletion, potentially disrupting services or causing data loss for other clients sharing the realm. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection involves monitoring API requests to the Keycloak admin endpoints for unusual or unauthorized access patterns, specifically requests to ResourceSetService and PermissionTicketService that attempt to access or modify resources with resource IDs not associated with the authenticated client's resourceServer ID. Since the vulnerability allows an attacker with fine-grained admin permissions on one client to delete or update resources of another client by supplying a valid resource ID, commands or scripts that log and analyze API calls for mismatched resourceServer and resourceId combinations can help detect exploitation attempts. However, no specific commands are provided in the available resources. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting fine-grained admin permissions to trusted users only, monitoring and auditing admin API usage for suspicious activity, and applying any available patches or updates from Keycloak or your Linux distribution that address this vulnerability. Since the issue arises from a backend authorization mismatch, updating Keycloak to a fixed version when available is critical. Until then, limiting access and closely monitoring API calls can reduce risk. [1]