Keycloak Admin UI Fine-Grained Permission Bypass

Executive Summary

CVE-2026-14209 is a security vulnerability in the Keycloak Admin UI extension that allows certain administrative users to bypass security restrictions when Fine-Grained Admin Permissions version 2 (FGAPv2) are enabled.

Specifically, an administrator who should only be able to search for users but not view their full details can exploit a particular endpoint (/admin/realms/{realm}/ui-ext/brute-force-user?search=id:{userId}) to access a user's full profile.

This happens because the system fails to check if the administrator has the required 'view' permission for that specific user when using this search path, allowing unauthorized access to sensitive information and security metadata.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow an authenticated administrative user with limited permissions to access full user profiles, including Personally Identifiable Information (PII) and brute-force attack metadata, which they should not be authorized to see.

Such unauthorized access can lead to privacy violations, potential misuse of sensitive user data, and increased risk of insider threats or data leaks within an organization.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring for unauthorized access attempts to the specific Keycloak Admin UI extension endpoint that is vulnerable. The endpoint involved is GET /admin/realms/{realm}/ui-ext/brute-force-user?search=id:{userId}.

To detect exploitation attempts, you can search your Keycloak server logs or network traffic for requests to this endpoint, especially those made by users with the query-users client role from realm-management.

• Use command-line tools like grep to search Keycloak logs for the vulnerable endpoint, e.g.:
• grep "/admin/realms/.*/ui-ext/brute-force-user?search=id:" /path/to/keycloak/logs/server.log
• Use network monitoring tools (e.g., tcpdump or Wireshark) to filter HTTP GET requests to the vulnerable endpoint.
• Example tcpdump command to capture such traffic (adjust interface and filters as needed):
• tcpdump -i eth0 -A 'tcp port 8080 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep "/admin/realms/"

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include restricting access to the vulnerable endpoint and reviewing administrative permissions.

Specifically, ensure that only trusted administrators have the query-users client role from realm-management, as this role is required to exploit the vulnerability.

If possible, disable or restrict the use of the Fine-Grained Admin Permissions (FGAPv2) feature until a patch or update addressing this vulnerability is applied.

Monitor and audit administrative actions to detect any unauthorized access to user profiles.

Apply any available security patches or updates from Keycloak or your vendor as soon as they are released.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows certain administrative users to bypass Fine-Grained Admin Permissions (FGAPv2) in Keycloak's Admin UI extension, enabling them to access full user profiles including Personally Identifiable Information (PII) and security metadata without proper authorization.

Unauthorized access to PII and sensitive user data can lead to non-compliance with data protection regulations such as GDPR and HIPAA, which require strict controls on access to personal and sensitive information.

Therefore, exploitation of this vulnerability could result in violations of these standards by exposing sensitive user information to administrators who should not have viewing permissions, potentially leading to legal and regulatory consequences.

Useful 0 Not Useful 0