Security Flaw in Keycloak's Fine-Grained Admin Permissions for ClientResource
CVE-2026-14614
5.4MEDIUM
What is CVE-2026-14614?
A security vulnerability has been identified in the ClientResource component of Keycloak's admin services when Fine-Grained Admin Permissions (FGAP) v2 is enabled. This flaw permits delegated administrators, who should only have limited access to specific clients, to manipulate hidden client scopes beyond their authorized visibility. Consequently, attackers could inject unauthorized data or permissions into the security tokens issued to users, thereby misleading other applications into granting elevated access rights that exceed the intended authorization.