CVE Catalog

CVE-2026-14613

MediumCVSS 4.3
Published: Translated: NVD NIST

Summary

A vulnerability in Keycloak's administrative interface allows restricted administrators to view information about groups they should not have access to. When Fine-Grained Admin Permissions (FGAP v2) are enabled, an administrator who can see a specific role can also see all groups assigned to that role, without proper permission checks.

Risk Assessment

The risk involves potential disclosure of hidden groups and their details, such as internal names and custom settings, which may contain sensitive deployment information. This could lead to confidentiality breaches and privilege escalation within the organization.

Recommendation

Update Keycloak to the patched version immediately. As a workaround, disable FGAP v2 if not critically needed and restrict access to the administrative interface until the update is applied.

Original NVD description (English source)

A vulnerability was discovered in Keycloak's administrative interface that allows certain administrators to see information about groups they shouldn't have access to. When the new Fine-Grained Admin Permissions (FGAP v2) are turned on, an administrator who is allowed to see a specific "role" can also see a list of all groups assigned to that role. The system fails to check if the administrator has permission to see those specific groups. This could allow a restricted administrator to discover "hidden" groups and see their details, such as internal names and custom settings, which might contain sensitive deployment information.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS