CVE-2026-14613 Overview
CVE-2026-14613 is an access control weakness in Keycloak's administrative interface. The flaw affects deployments with Fine-Grained Admin Permissions version 2 (FGAP v2) enabled. An administrator authorized to view a specific role can also enumerate every group assigned to that role. Keycloak fails to verify whether the administrator holds permission to view those groups individually.
A restricted administrator can leverage the flaw to discover hidden groups and inspect their internal names and custom attributes. Those attributes may contain sensitive deployment information. The issue is classified under [CWE-284: Improper Access Control].
Critical Impact
Restricted Keycloak administrators can enumerate groups outside their authorized scope through role assignments, exposing internal group names and custom attributes that may contain sensitive configuration data.
Affected Products
- Red Hat Keycloak deployments with Fine-Grained Admin Permissions v2 (FGAP v2) enabled
- Red Hat build of Keycloak
- Upstream Keycloak identity and access management platform
Discovery Timeline
- 2026-07-03 - CVE-2026-14613 published to the National Vulnerability Database
- 2026-07-07 - Last updated in NVD database
Technical Details for CVE-2026-14613
Vulnerability Analysis
Keycloak is an open source identity and access management (IAM) platform used to broker authentication and authorization for applications. Fine-Grained Admin Permissions v2 (FGAP v2) extends Keycloak's delegated administration model. It lets operators grant scoped privileges over specific realms, clients, groups, and roles.
CVE-2026-14613 breaks that delegation boundary. When an administrator queries a role they are permitted to view, Keycloak returns the list of groups assigned to that role. The administrative endpoint enumerates every group associated with the role without evaluating a per-group authorization check. Confidentiality of restricted groups is affected while integrity and availability remain intact.
Root Cause
The root cause is a missing authorization check on group entities returned as part of a role's association graph. The role-view permission implicitly grants read access to linked resources. FGAP v2 should evaluate the caller's view-group permission for each linked group before returning its metadata. That evaluation is absent, resulting in improper access control.
Attack Vector
Exploitation requires an authenticated administrator with limited FGAP v2 privileges. The attacker sends authorized administrative API requests against a role they legitimately manage. The response payload discloses associated groups, including groups the caller has no direct authorization to view. The attacker parses the response to extract group identifiers, paths, names, and custom attributes.
No user interaction, elevated privilege, or unusual network position is required beyond routine administrative access. The Exploit Prediction Scoring System places this issue at low expected exploitation probability. No public proof-of-concept or in-the-wild activity has been reported.
Detection Methods for CVE-2026-14613
Indicators of Compromise
- Administrative API calls to /admin/realms/{realm}/roles/{role-name}/groups or equivalent role-to-group query endpoints originating from accounts with narrow FGAP v2 scopes.
- Unusual enumeration patterns where a scoped administrator queries many roles in short succession.
- Access log entries showing responses containing group identifiers that fall outside the caller's assigned management scope.
Detection Strategies
- Audit Keycloak event logs for ADMIN_EVENT entries where the resourceType is GROUP or ROLE and the acting user holds FGAP v2 scoped permissions.
- Correlate administrator identity with the set of groups they are authorized to manage, then flag responses containing out-of-scope group data.
- Enable Keycloak's admin event logging with saveRequest and saveResponse to capture full API payloads for forensic review.
Monitoring Recommendations
- Forward Keycloak admin and login events to a centralized SIEM for long-term analysis and alerting.
- Establish a baseline of expected administrative API call volume per scoped administrator and alert on deviations.
- Review FGAP v2 role assignments quarterly to confirm that role-view grants are aligned with intended group visibility.
How to Mitigate CVE-2026-14613
Immediate Actions Required
- Review all FGAP v2 role assignments and identify administrators who hold role-view permissions but not corresponding group-view permissions.
- Restrict membership in roles that link to sensitive groups until a patched Keycloak build is applied.
- Rotate or sanitize custom group attributes that store deployment secrets, connection strings, or environment identifiers.
Patch Information
Refer to the vendor advisories for fixed component versions and remediation guidance:
Apply the vendor-supplied Keycloak update as soon as it is available in your distribution channel. Validate that the patched build enforces group-level authorization checks when returning role-to-group associations.
Workarounds
- Disable Fine-Grained Admin Permissions v2 if the feature is not required and revert to the classic admin permissions model.
- Remove group assignments from roles that scoped administrators can view, decoupling role membership from group exposure.
- Move sensitive configuration data out of group custom attributes and into secrets stores that are not reachable through the admin API.
# Example: list FGAP v2 role permissions using kcadm.sh to audit exposure
/opt/keycloak/bin/kcadm.sh config credentials \
--server https://keycloak.example.com \
--realm master \
--user admin
# Enumerate roles and their group assignments for review
/opt/keycloak/bin/kcadm.sh get roles -r <target-realm>
/opt/keycloak/bin/kcadm.sh get roles/<role-name>/groups -r <target-realm>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

