Bug 2496891 (CVE-2026-14615) - CVE-2026-14615 keycloak-services: keycloak: FGAP v2 parent group children endpoint bypasses per-child view permission filter
Summary: CVE-2026-14615 keycloak-services: keycloak: FGAP v2 parent group children end...
Keywords:
Status: NEW
Alias: CVE-2026-14615
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-07-03 15:30 UTC by OSIDB Bzimport
Modified: 2026-07-03 15:38 UTC (History)
11 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description OSIDB Bzimport 2026-07-03 15:30:51 UTC
An authorization bypass vulnerability exists in the GroupResource.getSubGroups() function of org.keycloak.services.resources.admin. The issue stems from a logic error where the auth.groups()::canView filter is only applied when the legacy permission schema is active. Under FGAP v2, AdminPermissionsSchema.SCHEMA.isAdminPermissionsEnabled(realm) returns true, causing the filter to be skipped.
An attacker with a delegated admin role and Groups:view permission on a parent group can exploit this by calling the .../groups/{parentGroupId}/children endpoint. Successful exploitation allows the attacker to:
Enumerate hidden child groups under the parent group.

Disclose child group UUIDs, names, and paths.

Access subgroup counts and custom attributes of unauthorized child groups.

Confirm the bypass via the access.view=false flag returned in the unauthorized data.


Note You need to log in before you can comment on or make changes to this bug.