CVE-2026-14615
Received Received - Intake

Fine-Grained Admin Permissions Bypass in Keycloak

Vulnerability report for CVE-2026-14615, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-03

Last updated on: 2026-07-03

Assigner: Red Hat, Inc.

Description

A flaw was found in the Fine-Grained Admin Permissions (FGAP) v2 implementation within Keycloak's administrative services. When FGAP v2 is enabled, the system fails to properly filter child groups based on the caller's specific permissions when requested through a parent group. This allows a delegated administrator to view details of child groups they are not authorized to access directly, including group names, paths, and custom attributes.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-03
Last Modified
2026-07-03
Generated
2026-07-03
AI Q&A
2026-07-03
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
keycloak keycloak From 2 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1220 The product implements access controls via a policy or other feature with the intention to disable or restrict accesses (reads and/or writes) to assets in a system from untrusted agents. However, implemented access controls lack required granularity, which renders the control policy too broad because it allows accesses from unauthorized agents to the security-sensitive assets.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is an authorization bypass issue in Keycloak's Fine-Grained Admin Permissions (FGAP) v2 implementation, specifically in the GroupResource.getSubGroups() function. When FGAP v2 is enabled, the system fails to properly filter child groups based on the caller's permissions. As a result, a delegated administrator with permission to view a parent group can access details of child groups they are not authorized to see, including group names, paths, UUIDs, subgroup counts, and custom attributes.

Impact Analysis

This vulnerability allows an attacker with delegated admin rights and view permission on a parent group to enumerate and access sensitive information about child groups they should not have access to. This unauthorized disclosure can lead to exposure of confidential group details, potentially aiding further attacks or unauthorized access within the system.

Detection Guidance

This vulnerability can be detected by sending a request to the Keycloak administrative endpoint that lists child groups of a parent group, specifically the /groups/{parentGroupId}/children endpoint.

If the system is vulnerable, a delegated administrator with Groups:view permission on a parent group can enumerate child groups they are not authorized to access. The response will include unauthorized child groups with an access.view=false flag indicating the bypass.

A practical detection command could be a curl request like:

  • curl -H "Authorization: Bearer <delegated_admin_token>" https://<keycloak-server>/auth/admin/realms/<realm>/groups/<parentGroupId>/children

If the response contains child groups with access.view=false, it indicates the vulnerability is present.

Compliance Impact

This vulnerability allows delegated administrators to access details of child groups they are not authorized to view, including sensitive information such as group names, paths, and custom attributes.

Such unauthorized disclosure of sensitive information could potentially lead to non-compliance with data protection regulations like GDPR and HIPAA, which require strict access controls and protection of personal or sensitive data.

Mitigation Strategies

To mitigate the CVE-2026-14615 vulnerability, it is important to restrict delegated administrator access to parent groups until a fix is applied.

Since the issue arises when Fine-Grained Admin Permissions (FGAP) v2 is enabled, consider temporarily disabling FGAP v2 if feasible, or limiting the use of delegated admin roles with Groups:view permission on parent groups.

Monitor for updates or patches from the Keycloak or Red Hat Product Security teams and apply them promptly once available.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-14615. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart