Flaw in Fine-Grained Admin Permissions in Keycloak Affects Administrator Access
CVE-2026-14615

4.3MEDIUM

Key Information:

Vendor

Red Hat

Vendor
CVE Published:
3 July 2026

What is CVE-2026-14615?

A vulnerability has been identified in Keycloak's Fine-Grained Admin Permissions (FGAP) v2 that affects the way administrative permissions are handled. When FGAP v2 is enabled, the system inadequately filters child groups based on the nuances of the caller's permissions during requests made through a parent group. This results in a scenario where a delegated administrator may gain access to sensitive information about child groups, including their names, paths, and custom attributes, which they should not be able to view. This oversight poses significant risk for organizations utilizing Keycloak for its administrative functions.

References

CVSS V3.1

Score:
4.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.