Fedora Account System
Red Hat Associate
Red Hat Customer
An authorization bypass vulnerability exists in the GroupResource.getSubGroups() function of org.keycloak.services.resources.admin. The issue stems from a logic error where the auth.groups()::canView filter is only applied when the legacy permission schema is active. Under FGAP v2, AdminPermissionsSchema.SCHEMA.isAdminPermissionsEnabled(realm) returns true, causing the filter to be skipped. An attacker with a delegated admin role and Groups:view permission on a parent group can exploit this by calling the .../groups/{parentGroupId}/children endpoint. Successful exploitation allows the attacker to: Enumerate hidden child groups under the parent group. Disclose child group UUIDs, names, and paths. Access subgroup counts and custom attributes of unauthorized child groups. Confirm the bypass via the access.view=false flag returned in the unauthorized data.