CVE-2025-14778

EPSS 0.01%
Veröffentlicht 09.02.2026 18:58:29
Zuletzt bearbeitet 10.02.2026 02:15:52
Quelle secalert@redhat.com
CVE-Watchlists
Login
Unerledigt
Login

A flaw was found in Keycloak. A significant Broken Access Control vulnerability exists in the UserManagedPermissionService (UMA Protection API). When updating or deleting a UMA policy associated with multiple resources, the authorization check only verifies the caller's ownership against the first resource in the policy's list. This allows a user (Owner A) who owns one resource (RA) to update a shared policy and modify authorization rules for other resources (e.g., RB) in that same policy, even if those other resources are owned by a different user (Owner B). This constitutes a horizontal privilege escalation.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 9

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

HerstellerRed Hat

≫

Produkt Red Hat build of Keycloak 26.2

Default Statusaffected

Version < *

Version 26.2.13-1

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat build of Keycloak 26.2

Default Statusaffected

Version < *

Version 26.2-15

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat build of Keycloak 26.2

Default Statusaffected

Version < *

Version 26.2-15

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat build of Keycloak 26.2.13

Default Statusunaffected

HerstellerRed Hat

≫

Produkt Red Hat build of Keycloak 26.4

Default Statusaffected

Version < *

Version 26.4.9-1

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat build of Keycloak 26.4

Default Statusaffected

Version < *

Version 26.4-11

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat build of Keycloak 26.4

Default Statusaffected

Version < *

Version 26.4-10

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat build of Keycloak 26.4.9

Default Statusunaffected

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.01%	0.011

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
secalert@redhat.com	5.4	2.8	2.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

CWE-266 Incorrect Privilege Assignment

A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.

https://access.redhat.com/security/cve/CVE-2025-14778

https://bugzilla.redhat.com/show_bug.cgi?id=2422600

https://access.redhat.com/errata/RHSA-2026:2364

https://access.redhat.com/errata/RHSA-2026:2365

https://access.redhat.com/errata/RHSA-2026:2366

https://access.redhat.com/errata/RHSA-2026:2363

https://nvd.nist.gov/vuln/detail/CVE-2025-14778

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-14778

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-14778

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2025-14778