Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-14615

CVE-2026-14615: Keycloak Information Disclosure Flaw

CVE-2026-14615 is an information disclosure vulnerability in Keycloak's Fine-Grained Admin Permissions that exposes unauthorized child group details to delegated administrators. This article covers technical details, impact, and mitigation.

Published:

CVE-2026-14615 Overview

CVE-2026-14615 is an information disclosure vulnerability in Keycloak's Fine-Grained Admin Permissions (FGAP) v2 implementation. When FGAP v2 is enabled, the administrative service fails to filter child groups based on the caller's specific permissions when those groups are requested through a parent group. A delegated administrator can view details of child groups they are not authorized to access, including group names, paths, and custom attributes. The issue is classified under [CWE-1220] (Insufficient Granularity of Access Control) and affects the confidentiality of group metadata within Keycloak realms.

Critical Impact

Delegated administrators can enumerate unauthorized child groups and read their names, paths, and custom attributes through parent group queries.

Affected Products

  • Red Hat Keycloak (FGAP v2 enabled configurations)
  • Red Hat build of Keycloak
  • Upstream Keycloak deployments using Fine-Grained Admin Permissions v2

Discovery Timeline

  • 2026-07-03 - CVE-2026-14615 published to the National Vulnerability Database
  • 2026-07-06 - Last updated in NVD database

Technical Details for CVE-2026-14615

Vulnerability Analysis

Keycloak's Fine-Grained Admin Permissions (FGAP) v2 feature enables realm operators to delegate administrative capabilities at a granular level, including per-group access controls. The v2 implementation is intended to enforce authorization checks whenever an administrator queries group resources through the admin REST API.

The flaw resides in how the admin services return child groups nested under a parent group. When a delegated administrator issues a request for a parent group's children, Keycloak returns the full list of child group entities without applying the caller's specific permission set to each nested entry. Authorization is evaluated at the parent scope rather than reapplied for each child.

As a result, group metadata such as names, hierarchical paths, and custom attributes is exposed to callers who are not authorized to view those child groups directly. The impact is limited to confidentiality of group metadata. Integrity and availability are not affected, and the vulnerability requires an authenticated account with some level of delegated administrative privilege.

Root Cause

The root cause is insufficient granularity of access control in the FGAP v2 group listing logic. The service checks permissions on the parent group but does not iterate and re-evaluate authorization for each child group returned. This maps to [CWE-1220] and represents a classic broken access control pattern where a coarse-grained check substitutes for per-object enforcement.

Attack Vector

The attack requires network access to the Keycloak admin API and an authenticated delegated administrator account. The attacker sends an authenticated request to the admin endpoint that lists children of a parent group they can access. Keycloak responds with the full set of child groups, including entries the caller has no direct permission to view. The attacker can then read the exposed names, paths, and custom attributes for reconnaissance or targeted follow-on abuse.

No exploitation code is available in verified public repositories. See the Red Hat CVE-2026-14615 Advisory and Red Hat Bug Report #2496891 for vendor technical details.

Detection Methods for CVE-2026-14615

Indicators of Compromise

  • Repeated authenticated requests from delegated administrator accounts to /admin/realms/{realm}/groups/{id}/children endpoints.
  • Admin API access patterns where a single delegated administrator enumerates a large portion of the group hierarchy.
  • Unexpected read access events in Keycloak admin event logs referencing group IDs outside the caller's assigned permission scope.

Detection Strategies

  • Enable Keycloak admin events with RESOURCE_TYPE=GROUP and correlate the requesting principal against the FGAP v2 policy set to identify out-of-scope reads.
  • Baseline normal group enumeration behavior per delegated administrator and alert on volume or breadth anomalies against the group tree.
  • Review reverse proxy or ingress logs for admin API paths that traverse parent-to-child group relationships from lower-privileged service accounts.

Monitoring Recommendations

  • Forward Keycloak admin event streams to a centralized SIEM and retain them for post-incident review.
  • Alert on any delegated administrator whose child group query results include group IDs not present in their explicit permission grants.
  • Track configuration changes that enable or expand FGAP v2 policies and validate them against expected administrative boundaries.

How to Mitigate CVE-2026-14615

Immediate Actions Required

  • Apply the security updates referenced in the Red Hat CVE-2026-14615 Advisory as soon as vendor-fixed builds are available for your Keycloak distribution.
  • Audit all delegated administrator accounts and remove permissions that are not strictly required for their operational role.
  • Review custom attributes stored on group entities and remove any sensitive data that should not be exposed to lower-privileged administrators.

Patch Information

Refer to the Red Hat CVE-2026-14615 Advisory for the authoritative list of fixed package versions and errata. The Red Hat Bug Report #2496891 tracks upstream remediation for the FGAP v2 child group filtering logic.

Workarounds

  • Disable Fine-Grained Admin Permissions v2 in realms where delegated administration is not required and revert to the standard admin role model.
  • Flatten group hierarchies so that sensitive child groups are not nested beneath parents accessible to delegated administrators.
  • Restrict admin API access at the network layer to trusted management networks and identities pending patch deployment.
bash
# Configuration example: disable FGAP v2 feature flag at Keycloak startup
kc.sh start --features-disabled=admin-fine-grained-authz:v2

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.