CVE-2025-14778: Keycloak Privilege Escalation Vulnerability

CVE-2025-14778 Overview

A significant Broken Access Control vulnerability has been identified in Keycloak's UserManagedPermissionService (UMA Protection API). When updating or deleting a UMA policy associated with multiple resources, the authorization check only verifies the caller's ownership against the first resource in the policy's list. This flaw enables horizontal privilege escalation, allowing one resource owner to modify authorization rules for resources owned by other users.

Critical Impact
An authenticated user can bypass authorization controls and modify UMA policies affecting resources they do not own, potentially compromising access controls for other users' protected resources.

Affected Products

Keycloak (versions with UMA Protection API implementation)
Red Hat Single Sign-On (affected versions addressed in RHSA-2026:2363 through RHSA-2026:2366)

Discovery Timeline

2026-02-09 - CVE-2025-14778 published to NVD
2026-02-10 - Last updated in NVD database

Technical Details for CVE-2025-14778

Vulnerability Analysis

This vulnerability represents a classic horizontal privilege escalation scenario within Keycloak's User-Managed Access (UMA) implementation. The core issue lies in the UserManagedPermissionService component, which handles the UMA Protection API endpoints responsible for managing resource permissions.

The flaw occurs during authorization validation when a user attempts to update or delete a UMA policy that is associated with multiple resources. The authorization logic only validates ownership for the first resource in the policy's resource list, failing to iterate through and verify ownership for all associated resources.

This means if User A owns Resource A and a shared policy includes both Resource A (first in the list) and Resource B (owned by User B), User A can modify the policy because the check passes for Resource A. However, these modifications will also affect Resource B's authorization rules without User B's consent or knowledge.

Root Cause

The root cause is classified as CWE-266 (Incorrect Privilege Assignment). The vulnerability stems from an incomplete authorization check implementation in the UMA policy management logic. Rather than validating the caller's ownership against all resources in a policy, the code only checks the first resource, creating a bypass condition when policies span multiple resources with different owners.

Attack Vector

The attack is network-accessible and requires low-privilege authentication. An attacker must be an authenticated Keycloak user with at least one resource under their ownership. The attack follows these steps:

The attacker identifies or creates a UMA policy that includes their own resource alongside resources owned by other users
When submitting an update request to modify the policy, the attacker's ownership of their resource satisfies the (flawed) authorization check
The policy modification is applied to all resources in the policy, including those the attacker does not own
The attacker has now modified authorization rules for other users' resources without proper authorization

This vulnerability does not require user interaction and can be exploited directly through API calls to the UMA Protection API endpoints. The exploitation results in unauthorized modification of access control policies, affecting both confidentiality and integrity of the protected resources.

Detection Methods for CVE-2025-14778

Indicators of Compromise

Unexpected modifications to UMA policies involving multi-resource configurations
Audit log entries showing policy updates where the modifying user owns only a subset of the affected resources
Users reporting unauthorized access changes to their protected resources
API calls to UMA Protection API endpoints with policy updates affecting resources across multiple owners

Detection Strategies

Monitor Keycloak audit logs for UPDATE_PERMISSION and DELETE_PERMISSION events involving policies with multiple resources
Implement custom audit rules to flag policy modifications where the authenticated user does not own all resources in the policy
Deploy API monitoring to detect unusual patterns in UMA Protection API usage
Correlate policy change events with resource ownership records to identify potential exploitation attempts

Monitoring Recommendations

Enable comprehensive audit logging for all UMA Protection API operations in Keycloak
Configure alerting for policy modifications involving cross-owner resource collections
Regularly review UMA policy configurations to identify policies spanning multiple resource owners
Implement periodic access control audits to verify policy integrity matches intended authorization models

How to Mitigate CVE-2025-14778

Immediate Actions Required

Apply the latest security patches from Red Hat addressing this vulnerability
Review existing UMA policies to identify multi-resource configurations that may have been modified
Audit recent policy change logs for signs of unauthorized modifications
Consider temporarily restricting UMA Protection API access for non-administrative users until patching is complete

Patch Information

Red Hat has released security advisories addressing this vulnerability. Organizations should apply the appropriate patches based on their deployment:

Additional technical details are available in Red Hat Bug Report #2422600 and the Red Hat CVE Report for CVE-2025-14778.

Workarounds

Restrict UMA Protection API access to trusted administrative users only until patches can be applied
Implement network-level controls to limit access to Keycloak administrative endpoints
Avoid creating UMA policies that span resources with different owners as a temporary measure
Deploy a reverse proxy or API gateway to add additional authorization validation before requests reach Keycloak

bash

# Example: Restrict UMA API access via network policy (Kubernetes)
# Apply this NetworkPolicy to limit access to Keycloak UMA endpoints
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: restrict-uma-api
spec:
  podSelector:
    matchLabels:
      app: keycloak
  ingress:
    - from:
        - namespaceSelector:
            matchLabels:
              trusted: "true"
      ports:
        - protocol: TCP
          port: 8443

CVE-2025-14778 Overview

Critical Impact
An authenticated user can bypass authorization controls and modify UMA policies affecting resources they do not own, potentially compromising access controls for other users' protected resources.

Affected Products

Keycloak (versions with UMA Protection API implementation)
Red Hat Single Sign-On (affected versions addressed in RHSA-2026:2363 through RHSA-2026:2366)

Discovery Timeline

2026-02-09 - CVE-2025-14778 published to NVD
2026-02-10 - Last updated in NVD database

Technical Details for CVE-2025-14778

Vulnerability Analysis

Root Cause

Attack Vector

The attacker identifies or creates a UMA policy that includes their own resource alongside resources owned by other users
When submitting an update request to modify the policy, the attacker's ownership of their resource satisfies the (flawed) authorization check
The policy modification is applied to all resources in the policy, including those the attacker does not own
The attacker has now modified authorization rules for other users' resources without proper authorization

Detection Methods for CVE-2025-14778

Indicators of Compromise

Unexpected modifications to UMA policies involving multi-resource configurations
Audit log entries showing policy updates where the modifying user owns only a subset of the affected resources
Users reporting unauthorized access changes to their protected resources
API calls to UMA Protection API endpoints with policy updates affecting resources across multiple owners

Detection Strategies

Monitor Keycloak audit logs for UPDATE_PERMISSION and DELETE_PERMISSION events involving policies with multiple resources
Implement custom audit rules to flag policy modifications where the authenticated user does not own all resources in the policy
Deploy API monitoring to detect unusual patterns in UMA Protection API usage
Correlate policy change events with resource ownership records to identify potential exploitation attempts

Monitoring Recommendations

Enable comprehensive audit logging for all UMA Protection API operations in Keycloak
Configure alerting for policy modifications involving cross-owner resource collections
Regularly review UMA policy configurations to identify policies spanning multiple resource owners
Implement periodic access control audits to verify policy integrity matches intended authorization models

How to Mitigate CVE-2025-14778

Immediate Actions Required

Apply the latest security patches from Red Hat addressing this vulnerability
Review existing UMA policies to identify multi-resource configurations that may have been modified
Audit recent policy change logs for signs of unauthorized modifications
Consider temporarily restricting UMA Protection API access for non-administrative users until patching is complete

Patch Information

Red Hat has released security advisories addressing this vulnerability. Organizations should apply the appropriate patches based on their deployment:

Additional technical details are available in Red Hat Bug Report #2422600 and the Red Hat CVE Report for CVE-2025-14778.

Workarounds

Restrict UMA Protection API access to trusted administrative users only until patches can be applied
Implement network-level controls to limit access to Keycloak administrative endpoints
Avoid creating UMA policies that span resources with different owners as a temporary measure
Deploy a reverse proxy or API gateway to add additional authorization validation before requests reach Keycloak

bash

# Example: Restrict UMA API access via network policy (Kubernetes)
# Apply this NetworkPolicy to limit access to Keycloak UMA endpoints
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: restrict-uma-api
spec:
  podSelector:
    matchLabels:
      app: keycloak
  ingress:
    - from:
        - namespaceSelector:
            matchLabels:
              trusted: "true"
      ports:
        - protocol: TCP
          port: 8443

CVE-2025-14778: Keycloak Privilege Escalation Vulnerability

CVE-2025-14778 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2025-14778

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2025-14778

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2025-14778

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform

CVE-2025-14778: Keycloak Privilege Escalation Vulnerability

CVE-2025-14778 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2025-14778

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2025-14778

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2025-14778

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform