5.4

CVE-2026-14614

Keycloak-services: keycloak-services: fgap v2 client scope assignment bypass via clientresource

A flaw was found in the ClientResource component of Keycloak's admin services when Fine-Grained Admin Permissions (FGAP) v2 is enabled. This issue allows a delegated administrator, who should only have limited control over specific clients, to attach or remove hidden client scopes that they are not authorized to see or manage. As a result, an attacker could inject unauthorized data or permissions into the security tokens issued to end-users, potentially tricking other applications into granting higher levels of access than intended.
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
HerstellerRed Hat
Produkt Red Hat Build of Keycloak
Default Statusunaffected
HerstellerRed Hat
Produkt Red Hat Build of Keycloak
Default Statusaffected
HerstellerRed Hat
Produkt Red Hat Build of Keycloak
Default Statusunaffected
HerstellerRed Hat
Produkt Red Hat Data Grid 8
Default Statusunaffected
HerstellerRed Hat
Produkt Red Hat JBoss Enterprise Application Platform Expansion Pack
Default Statusunaffected
HerstellerRed Hat
Produkt Red Hat Single Sign-On 7
Default Statusunaffected
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.15% 0.043
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
secalert@redhat.com 5.4 2.8 2.5
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
CWE-284 Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

https://access.redhat.com/security/cve/CVE-2026-14614
https://bugzilla.redhat.com/show_bug.cgi?id=2496889