CVE-2026-15945
Received Received - Intake

Keycloak FGAP v2 Group Search Access Bypass

Vulnerability report for CVE-2026-15945, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-16

Last updated on: 2026-07-16

Assigner: Red Hat, Inc.

Description

A flaw was found in the group search functionality of the Keycloak server's administrative API. When Fine-Grained Admin Permissions (FGAP) v2 is enabled, a delegated administrator can bypass access restrictions to view parent groups they are not authorized to see. By searching for a child group they have permission to view, the system incorrectly returns the full details of the parent group in the response, leading to the disclosure of sensitive group attributes and configuration.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-16
Last Modified
2026-07-16
Generated
2026-07-16
AI Q&A
2026-07-16
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
red_hat keycloak to 2.11.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This is an information disclosure vulnerability in Keycloak's administrative API. When Fine-Grained Admin Permissions (FGAP) v2 is enabled, a delegated administrator can bypass access restrictions by searching for a child group they are authorized to view. The system incorrectly returns full details of unauthorized parent groups in the response, exposing sensitive group attributes and configuration.

Detection Guidance

To detect this vulnerability, check Keycloak server logs for unauthorized access attempts to the GET /admin/realms/{realm}/groups endpoint with search parameters and briefRepresentation=false. Look for responses containing parent group details despite 403 errors for direct access.

Impact Analysis

An attacker with a valid account and specific permissions (query-groups and Groups:view on at least one child group) could exploit this flaw to disclose sensitive information about unauthorized parent groups. This includes internal UUIDs, group names, custom group attributes, and role mappings associated with restricted parent groups.

Compliance Impact

This vulnerability could lead to unauthorized disclosure of sensitive group attributes and configuration, potentially violating data protection requirements under GDPR, HIPAA, or other regulations that mandate strict access controls and confidentiality of personal or health information.

Mitigation Strategies

Disable Fine-Grained Admin Permissions (FGAP) v2 if enabled. Restrict access to the /admin/realms/{realm}/groups endpoint. Monitor logs for suspicious search queries. Apply patches from Red Hat once available.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-15945. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart