CVE-2026-14614
Received Received - Intake

Keycloak FGAP v2 ClientResource Privilege Escalation

Vulnerability report for CVE-2026-14614, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-03

Last updated on: 2026-07-03

Assigner: Red Hat, Inc.

Description

A flaw was found in the ClientResource component of Keycloak's admin services when Fine-Grained Admin Permissions (FGAP) v2 is enabled. This issue allows a delegated administrator, who should only have limited control over specific clients, to attach or remove hidden client scopes that they are not authorized to see or manage. As a result, an attacker could inject unauthorized data or permissions into the security tokens issued to end-users, potentially tricking other applications into granting higher levels of access than intended.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-03
Last Modified
2026-07-03
Generated
2026-07-03
AI Q&A
2026-07-03
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
keycloak keycloak *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in Keycloak's ClientResource component when Fine-Grained Admin Permissions (FGAP) v2 is enabled. It allows a delegated administrator, who should have limited control over specific clients, to attach or remove hidden client scopes that they are not authorized to manage.

The root cause is insufficient permission validation: the system only checks if the caller has manage permissions on the target client but does not verify permissions on the client scope being attached. An attacker with delegated admin roles can exploit this by linking restricted client scopes to their managed clients.

This can lead to unauthorized claim injection into end-user access tokens, potentially tricking other applications into granting higher access levels than intended.

Impact Analysis

The vulnerability can allow an attacker with delegated admin privileges to inject unauthorized data or permissions into security tokens issued to end-users.

This unauthorized claim injection can cause relying applications to grant higher levels of access than intended, leading to potential authorization bypass.

Additionally, if the hidden client scopes contain sensitive claims or mappers, this could result in data exposure.

Detection Guidance

This vulnerability involves unauthorized attachment or removal of hidden client scopes by delegated administrators in Keycloak when Fine-Grained Admin Permissions (FGAP) v2 is enabled. Detection would involve monitoring administrative API calls related to client scope management, especially calls to endpoints like ClientResource.addDefaultClientScope() where permissions are insufficiently validated.

Specifically, detection could focus on identifying unusual or unauthorized modifications of client scopes by users with delegated admin roles who should not have permissions on those scopes.

However, no specific commands or detection scripts are provided in the available resources.

Mitigation Strategies

Immediate mitigation steps include reviewing and restricting delegated administrator permissions to ensure they do not have manage permissions on clients unless absolutely necessary.

Additionally, disabling Fine-Grained Admin Permissions (FGAP) v2 or avoiding enabling adminPermissionsEnabled until a patch or fix is applied can prevent exploitation.

Monitoring and auditing client scope attachment operations for suspicious activity is also recommended.

Compliance Impact

This vulnerability allows unauthorized injection of claims into end-user access tokens, which can lead to unauthorized access and potential exposure of sensitive data.

Such unauthorized data exposure and elevated access permissions could result in non-compliance with data protection regulations like GDPR and HIPAA, which require strict control over access to personal and sensitive information.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-14614. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart