Bug 2496878 (CVE-2026-14613) - CVE-2026-14613 keycloak-services: keycloak-services: Keycloak: FGAP v2 role groups endpoint discloses hidden group metadata without group view permission
Summary: CVE-2026-14613 keycloak-services: keycloak-services: Keycloak: FGAP v2 role g...
Keywords:
Status: NEW
Alias: CVE-2026-14613
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-07-03 14:48 UTC by OSIDB Bzimport
Modified: 2026-07-03 15:08 UTC (History)
29 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description OSIDB Bzimport 2026-07-03 14:48:59 UTC
A flaw was found in Keycloak's Fine-Grained Admin Permissions v2 (FGAP v2) implementation. When FGAP v2 is enabled, the role groups endpoints (GET /admin/realms/{realm}/clients/{clientUuid}/roles/{roleName}/groups and GET /admin/realms/{realm}/roles/{roleName}/groups) fail to correctly enforce per-group view permissions.
The RoleContainerResource.getGroupsInRole() method only verifies that the caller has permission to view the role itself (auth.roles().requireView(roleContainer)). It then returns representations for all groups mapped to that role without verifying if the caller has permission to view each individual group (auth.groups().canView(group)). This allows a delegated administrator with role view access to enumerate hidden groups and retrieve their metadata, including names, paths, and custom attributes, even if direct access to those groups is correctly denied with a 403 Forbidden error.


Note You need to log in before you can comment on or make changes to this bug.