Vulnerability in Keycloak's Admin UI Extension Allows Unauthorized User Data Access
CVE-2026-14209

4.3MEDIUM

Key Information:

Vendor: Red Hat
Status: Red Hat Build Of Keycloak; Red Hat Jboss Enterprise Application Platform Expansion Pack
Vendor: CVE Published:; 30 June 2026

What is CVE-2026-14209?

A security flaw has been identified in Keycloak's Admin UI extension that allows certain administrative users to circumvent access restrictions. When Fine-Grained Admin Permissions (FGAPv2) are active, administrators who should be limited to searching for user accounts can exploit a specific endpoint, which enables them to retrieve complete user profiles. This includes highly sensitive information and security metadata that should remain confidential. The underlying issue stems from a failure to adequately verify whether the administrator possesses the necessary permissions to view these user details through the designated search mechanism.

References

https://access.redhat.com/security/cve/CVE-2026-14209

vdb-entryx_refsource_REDHAT

https://bugzilla.redhat.com/show_bug.cgi?id=2494837

issue-trackingx_refsource_REDHAT

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 30, 2026
Vulnerability Reserved
Jun 30, 2026

Credit

Red Hat would like to thank Jinyeong Yang for reporting this issue.

CVE-2026-14209 Data

JSON