CVE-2025-14778
Broken Access Control in Keycloak UMA API Enables Privilege Escalation
Publication date: 2026-02-09
Last updated on: 2026-02-10
Assigner: Red Hat, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| keycloak | keycloak | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-266 | A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Broken Access Control flaw in Keycloak's UserManagedPermissionService (UMA Protection API). When a user tries to update or delete a UMA policy that applies to multiple resources, the system only checks if the user owns the first resource in the policy's list. Because of this, a user who owns one resource can improperly modify authorization rules for other resources in the same policy that belong to different users. This results in horizontal privilege escalation, where a user gains unauthorized access to resources owned by others.
How can this vulnerability impact me? :
This vulnerability can allow a user to escalate their privileges horizontally by modifying access controls on resources they do not own. As a result, unauthorized users could change authorization rules for other users' resources, potentially gaining access to sensitive information or performing unauthorized actions. This undermines the security and integrity of resource access management within the affected system.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
I don't know