CVE-2026-14613
Received Received - Intake

Information Disclosure in Keycloak Admin Interface

Vulnerability report for CVE-2026-14613, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-03

Last updated on: 2026-07-03

Assigner: Red Hat, Inc.

Description

A vulnerability was discovered in Keycloak's administrative interface that allows certain administrators to see information about groups they shouldn't have access to. When the new Fine-Grained Admin Permissions (FGAP v2) are turned on, an administrator who is allowed to see a specific "role" can also see a list of all groups assigned to that role. The system fails to check if the administrator has permission to see those specific groups. This could allow a restricted administrator to discover "hidden" groups and see their details, such as internal names and custom settings, which might contain sensitive deployment information.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-03
Last Modified
2026-07-03
Generated
2026-07-03
AI Q&A
2026-07-03
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
redhat keycloak From 2 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in Keycloak's administrative interface when the Fine-Grained Admin Permissions version 2 (FGAP v2) feature is enabled.

An administrator who has permission to view a specific role can also see a list of all groups assigned to that role, even if they do not have permission to view those groups individually.

The system fails to check group-level permissions properly, allowing the administrator to discover hidden groups and view sensitive details such as internal names, paths, and custom settings.

This happens because the endpoints responsible for returning groups in a role only verify if the user can view the role, not the individual groups, due to a flaw in the RoleContainerResource.getGroupsInRole() method.

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive information about groups that an administrator should not have access to.

Restricted administrators may be able to discover hidden groups and view their metadata, including internal names, paths, and custom attributes.

Such exposure could reveal sensitive deployment information, potentially aiding attackers or unauthorized users in understanding the system's structure and configuration.

Detection Guidance

This vulnerability can be detected by testing the Keycloak administrative interface endpoints related to roles and groups when Fine-Grained Admin Permissions v2 (FGAP v2) is enabled.

Specifically, you can attempt to access the following endpoints with an administrator account that has permission to view a role but should not have permission to view all groups assigned to that role:

  • GET /admin/realms/{realm}/clients/{clientUuid}/roles/{roleName}/groups
  • GET /admin/realms/{realm}/roles/{roleName}/groups

If these endpoints return group details such as internal names, paths, or custom attributes without proper permission checks, the vulnerability is present.

You can use tools like curl or any REST API client to perform these requests. For example:

  • curl -H "Authorization: Bearer <token>" https://<keycloak-server>/admin/realms/<realm>/roles/<roleName>/groups
  • curl -H "Authorization: Bearer <token>" https://<keycloak-server>/admin/realms/<realm>/clients/<clientUuid>/roles/<roleName>/groups

Replace <token>, <keycloak-server>, <realm>, <clientUuid>, and <roleName> with appropriate values. If group information is returned despite restricted permissions, the vulnerability exists.

Mitigation Strategies

To mitigate this vulnerability immediately, consider the following steps:

  • Disable Fine-Grained Admin Permissions v2 (FGAP v2) if it is not strictly required, to prevent the flawed permission checks from being exploited.
  • Restrict administrative roles so that only fully trusted administrators have permissions to view roles that could expose group information.
  • Monitor and audit administrative API usage to detect any unusual access patterns to the affected endpoints.
  • Apply any available patches or updates from Keycloak or your vendor that address this specific permission enforcement flaw.
Compliance Impact

This vulnerability allows certain administrators to view information about groups they should not have access to, including sensitive deployment details such as internal names and custom settings.

Such unauthorized access to sensitive information could potentially lead to non-compliance with data protection standards and regulations like GDPR and HIPAA, which require strict access controls and protection of sensitive data.

By exposing hidden groups and their metadata to restricted administrators, the system fails to enforce proper access controls, increasing the risk of data exposure and violating principles of least privilege and confidentiality mandated by these regulations.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-14613. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart