Security Flaw in Keycloak's Fine-Grained Admin Permissions for ClientResource
CVE-2026-14614

5.4MEDIUM

What is CVE-2026-14614?

A security vulnerability has been identified in the ClientResource component of Keycloak's admin services when Fine-Grained Admin Permissions (FGAP) v2 is enabled. This flaw permits delegated administrators, who should only have limited access to specific clients, to manipulate hidden client scopes beyond their authorized visibility. Consequently, attackers could inject unauthorized data or permissions into the security tokens issued to users, thereby misleading other applications into granting elevated access rights that exceed the intended authorization.

References

CVSS V3.1

Score:
5.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.