Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-14209

CVE-2026-14209: Keycloak Auth Bypass Vulnerability

CVE-2026-14209 is an authentication bypass flaw in Redhat Build Of Keycloak that allows admins to access restricted user profiles via the brute-force-user endpoint. This article covers technical details, affected versions, impact, and mitigation.

Published:

CVE-2026-14209 Overview

CVE-2026-14209 is an authorization bypass vulnerability in the Keycloak Admin UI extension. When Fine-Grained Admin Permissions v2 (FGAPv2) are enabled, an administrator restricted to searching for users can invoke the brute-force-user endpoint to retrieve a target user's full profile. The endpoint fails to verify that the caller holds the required view permission for the specific user being queried. Retrieved data includes sensitive profile fields and account security metadata. The flaw affects Red Hat Build of Keycloak and Red Hat JBoss Enterprise Application Platform Expansion Pack, and is tracked under CWE-639: Authorization Bypass Through User-Controlled Key.

Critical Impact

Low-privileged administrators with user-search rights can read full user profiles and brute-force security metadata for any account, breaking FGAPv2 tenant isolation.

Affected Products

  • Red Hat Build of Keycloak
  • Red Hat JBoss Enterprise Application Platform Expansion Pack
  • Keycloak deployments with Fine-Grained Admin Permissions v2 (FGAPv2) enabled

Discovery Timeline

  • 2026-06-30 - CVE-2026-14209 published to NVD
  • 2026-07-01 - Last updated in NVD database

Technical Details for CVE-2026-14209

Vulnerability Analysis

The vulnerability resides in Keycloak's Admin UI extension, which exposes a brute-force-user endpoint used to query brute-force protection status for individual accounts. Under FGAPv2, administrators can be granted narrow scopes such as user search without the broader view-users permission. The endpoint bypasses the FGAPv2 policy engine and returns the target user's complete representation, including profile attributes and authentication metadata. This gives a search-only administrator access to information reserved for users with an explicit view grant on the account.

Root Cause

The defect is a missing authorization check on a specific search path within the Admin UI backend. When requests are handled through the brute-force-user endpoint, the code does not evaluate whether the calling administrator has the view permission for the requested user resource. The result is a classic authorization-bypass-through-user-controlled-key pattern [CWE-639], where the user identifier in the request determines the returned data without a corresponding permission check.

Attack Vector

An authenticated administrator with only user-search privileges sends a request to the brute-force-user endpoint supplying a target user identifier. The Keycloak backend returns the full user profile and security metadata without confirming the caller's view permission on that account. The attack requires network access to the Admin API and valid low-privileged administrative credentials. No user interaction is needed, and the response can be iterated across user IDs to enumerate an entire realm.

No verified exploit code is publicly available. See the Red Hat CVE-2026-14209 Advisory for technical details.

Detection Methods for CVE-2026-14209

Indicators of Compromise

  • Repeated Admin API requests to the brute-force-user endpoint from a single administrative session, especially with iterating user identifiers.
  • Admin audit events showing user profile retrieval by administrators who do not hold the view-users or per-user view FGAPv2 permission.
  • Unusual volumes of USER_INFO_REQUEST or equivalent Keycloak admin events tied to search-scoped roles.

Detection Strategies

  • Enable Keycloak admin event logging and correlate brute-force-user calls against the caller's effective FGAPv2 permission set.
  • Alert when administrators without view scope access endpoints that return full user representations.
  • Baseline normal per-administrator request rates to the Admin UI extension and flag statistical outliers.

Monitoring Recommendations

  • Forward Keycloak admin and system logs to a centralized SIEM and retain them for forensic review.
  • Monitor for enumeration patterns where sequential or scripted user IDs are queried within short time windows.
  • Review FGAPv2 role assignments regularly to ensure search-only administrators are not effectively receiving read access through this endpoint.

How to Mitigate CVE-2026-14209

Immediate Actions Required

  • Apply the patched Keycloak build referenced in the Red Hat CVE-2026-14209 Advisory as soon as it is available for your channel.
  • Audit all FGAPv2 role definitions and remove unnecessary user-search grants until patching is complete.
  • Rotate credentials and review recent admin activity for any accounts that may have been enumerated.

Patch Information

Red Hat has published tracking for this issue in Red Hat Bugzilla Report #2494837 and the Red Hat CVE-2026-14209 Advisory. Administrators of Red Hat Build of Keycloak and JBoss EAP Expansion Pack should upgrade to the fixed release identified in those advisories. Verify the patch enforces FGAPv2 view permission checks on the brute-force-user endpoint before restoring normal admin operations.

Workarounds

  • Disable FGAPv2 or restrict administrative logins to trusted operators until the patch is deployed.
  • Restrict network access to the Keycloak Admin API using firewall rules or a reverse proxy that limits which endpoints are reachable from delegated administrator networks.
  • Remove the brute-force-user path from exposed admin routes at the proxy layer if operationally acceptable.
bash
# Example reverse proxy rule to block the vulnerable endpoint at the edge
# nginx snippet - adjust path prefix to match your Keycloak deployment
location ~* /admin/realms/[^/]+/attack-detection/brute-force-user/ {
    deny all;
    return 403;
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.