4.3
CVE-2026-14613
- EPSS 0.17%
- Veröffentlicht 03.07.2026 15:16:44
- Zuletzt bearbeitet 07.07.2026 18:16:35
- Quelle secalert@redhat.com
- CVE-Watchlists
- Unerledigt
Keycloak-services: keycloak-services: keycloak: fgap v2 role groups endpoint discloses hidden group metadata without group view permission
A vulnerability was discovered in Keycloak's administrative interface that allows certain administrators to see information about groups they shouldn't have access to. When the new Fine-Grained Admin Permissions (FGAP v2) are turned on, an administrator who is allowed to see a specific "role" can also see a list of all groups assigned to that role. The system fails to check if the administrator has permission to see those specific groups. This could allow a restricted administrator to discover "hidden" groups and see their details, such as internal names and custom settings, which might contain sensitive deployment information.
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
HerstellerRed Hat
≫
Produkt
Red Hat Build of Keycloak
Default Statusunaffected
HerstellerRed Hat
≫
Produkt
Red Hat Build of Keycloak
Default Statusaffected
HerstellerRed Hat
≫
Produkt
Red Hat Build of Keycloak
Default Statusunaffected
HerstellerRed Hat
≫
Produkt
Red Hat Data Grid 8
Default Statusunaffected
HerstellerRed Hat
≫
Produkt
Red Hat JBoss Enterprise Application Platform Expansion Pack
Default Statusunaffected
HerstellerRed Hat
≫
Produkt
Red Hat Single Sign-On 7
Default Statusunaffected
VulnDex Vulnerability Enrichment
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.17% | 0.068 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| secalert@redhat.com | 4.3 | 2.8 | 1.4 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
|
CWE-284 Improper Access Control
The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
https://bugzilla.redhat.com/show_bug.cgi?id=2496878
https://access.redhat.com/security/cve/CVE-2026-14613