2422600 – (CVE-2025-14778) CVE-2025-14778 keycloak: Incorrect ownership checks in /uma-policy/

Bug 2422600 (CVE-2025-14778) - CVE-2025-14778 keycloak: Incorrect ownership checks in /uma-policy/

Summary: CVE-2025-14778 keycloak: Incorrect ownership checks in /uma-policy/

Keywords:
Status:	NEW
Alias:	CVE-2025-14778
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2025-12-16 05:04 UTC by OSIDB Bzimport
Modified:	2026-02-09 18:27 UTC (History)
CC List:	9 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-12-16 05:04:25 UTC

A significant Broken Access Control vulnerability exists in the UserManagedPermissionService (UMA Protection API). When updating or deleting a UMA policy associated with multiple resources, the authorization check only verifies the caller's ownership against the first resource in the policy's list. This allows a user (Owner A) who owns one resource (RA) to update a shared policy and modify authorization rules for other resources (e.g., RB) in that same policy, even if those other resources are owned by a different user (Owner B). This constitutes a horizontal privilege escalation.

Note You need to log in before you can comment on or make changes to this bug.