Broken Access Control Vulnerability in Keycloak Admin API
CVE-2025-14777

6MEDIUM

Key Information:

Vendor: Red Hat
Status: Red Hat Build Of Keycloak
Vendor: CVE Published:; 16 December 2025

What is CVE-2025-14777?

A vulnerability has been identified in Keycloak wherein the admin API endpoints for managing authorization resources are susceptible to insecure direct object reference. Specifically, the flaw resides in the ResourceSetService and PermissionTicketService components. The system performs authorization checks based on the client ID specified in the API request but relies solely on the resource ID for database operations. This inconsistency can be exploited by an authenticated attacker with elevated permissions for one client to manipulate or delete resources that belong to another client within the same realm, by providing a valid resource ID. This poses significant risks to data integrity and security.

References

https://access.redhat.com/security/cve/CVE-2025-14777

vdb-entryx_refsource_REDHAT

https://bugzilla.redhat.com/show_bug.cgi?id=2422596

issue-trackingx_refsource_REDHAT

CVSS V3.1

Score:

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

High

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 16, 2025
Vulnerability Reserved
Dec 16, 2025

Credit

Red Hat would like to thank Joshua Rogers for reporting this issue.

JSON