Bug 2381861 (CVE-2025-7784)

Summary: CVE-2025-7784 org.keycloak/keycloak-services: Privilege Escalation in Keycloak Admin Console (FGAPv2 Enabled)
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aschwart, asoldano, bbaranow, bmaxwell, boliveir, brian.stansberry, cdewolf, darran.lofthouse, dkreling, dosoudil, fjuma, istudens, ivassile, iweiss, lgao, mosmerov, mposolda, msochure, msvehla, nwallace, pesilva, pjindal, pmackay, rstancel, smaestri, ssilvert, sthorger, tom.jenkinson, vmuzikar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in the Keycloak identity and access management system when Fine-Grained Admin Permissions(FGAPv2) are enabled. An administrative user with the manage-users role can escalate their privileges to realm-admin due to improper privilege enforcement. This vulnerability allows unauthorized elevation of access rights, compromising the intended separation of administrative duties and posing a security risk to the realm.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2025-07-18 06:06:49 UTC 
A Privilege Escalation vulnerability was identified in the Keycloak identity and access management solution, specifically when FGAPv2 is enabled in version 26.2.x. The flaw lies in the admin permission enforcement logic, where a user with manage-users privileges can self-assign realm-admin rights. The escalation occurs due to missing privilege boundary checks in role mapping operations via the admin REST interface. A malicious administrator with limited permissions can exploit this by editing their own user roles, gaining unauthorized full access to realm configuration and user data.
Comment 2 errata-xmlrpc 2025-07-29 01:35:25 UTC 
This issue has been addressed in the following products:

  Red Hat build of Keycloak 26

Via RHSA-2025:12015 https://access.redhat.com/errata/RHSA-2025:12015
Comment 3 errata-xmlrpc 2025-07-29 01:45:56 UTC 
This issue has been addressed in the following products:

  Red Hat build of Keycloak 26.2

Via RHSA-2025:12016 https://access.redhat.com/errata/RHSA-2025:12016