Flaw in Fine-Grained Admin Permissions in Keycloak Affects Administrator Access
CVE-2026-14615
4.3MEDIUM
What is CVE-2026-14615?
A vulnerability has been identified in Keycloak's Fine-Grained Admin Permissions (FGAP) v2 that affects the way administrative permissions are handled. When FGAP v2 is enabled, the system inadequately filters child groups based on the nuances of the caller's permissions during requests made through a parent group. This results in a scenario where a delegated administrator may gain access to sensitive information about child groups, including their names, paths, and custom attributes, which they should not be able to view. This oversight poses significant risk for organizations utilizing Keycloak for its administrative functions.