CVE Catalog

CVE-2026-14209

MediumCVSS 4.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.17%

7th percentile — higher than 7% of all known CVEs

Summary

A vulnerability in Keycloak's Admin UI allows administrators with limited permissions to bypass security restrictions. When Fine-Grained Admin Permissions (FGAPv2) are enabled, an admin who can only search for users can use the 'brute-force-user' endpoint to access full user profiles, including sensitive information and security metadata. The issue is due to missing permission checks for the 'view' right on this specific search path.

Risk Assessment

The organization risks exposure of sensitive user data and security metadata, potentially leading to confidentiality breaches and privilege escalation by unauthorized administrators.

Recommendation

Immediately update Keycloak to a patched version and review FGAPv2 permission configuration to ensure the 'brute-force-user' endpoint enforces the required 'view' permission.

Original NVD description (English source)

A vulnerability was discovered in Keycloak's Admin UI extension that allows certain administrative users to bypass security restrictions. When Fine-Grained Admin Permissions (FGAPv2) are enabled, an administrator who should only be able to search for users (but not view their full details) can use a specific "brute-force-user" endpoint to access a user's full profile. This includes sensitive information and security metadata. The issue occurs because the system fails to check if the administrator has the required "view" permission for that specific user when using this particular search path.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS