Back to overview

CVE-2026-14613

MEDIUM
4.3
CVSS 3.1
Description
A vulnerability was discovered in Keycloak's administrative interface that allows certain administrators to see information about groups they shouldn't have access to. When the new Fine-Grained Admin Permissions (FGAP v2) are turned on, an administrator who is allowed to see a specific "role" can also see a list of all groups assigned to that role. The system fails to check if the administrator has permission to see those specific groups. This could allow a restricted administrator to discover "hidden" groups and see their details, such as internal names and custom settings, which might contain sensitive deployment information.

Metadata

CVE ID
CVE-2026-14613
State
PUBLISHED
Assigner
redhat
Reserved
2026-07-03 14:48 UTC
Published
2026-07-03 15:16 UTC
Last updated
2026-07-03 15:16 UTC
Vendor / Product
Red Hat / Red Hat Build of Keycloak
Sources
cve.org  ·  NVD

Severity & Metrics

4.3 MEDIUM CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Affected products (6)
VendorProductPlatformVersions
Red Hat Red Hat Build of Keycloak
Red Hat Red Hat Build of Keycloak
Red Hat Red Hat Build of Keycloak
Red Hat Red Hat Data Grid 8
Red Hat Red Hat JBoss Enterprise Application Platform Expansion Pack
Red Hat Red Hat Single Sign-On 7
CVSS scores (1)
ScoreSeverityVersionSourceVector
4.3 MEDIUM 3.1 cna CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Back to overview