CVE-2026-14209
MediumCVSS 4.3Exploitation Probability (EPSS)
Low risk7th percentile — higher than 7% of all known CVEs
Summary
A vulnerability in Keycloak's Admin UI allows administrators with limited permissions to bypass security restrictions. When Fine-Grained Admin Permissions (FGAPv2) are enabled, an admin who can only search for users can use the 'brute-force-user' endpoint to access full user profiles, including sensitive information and security metadata. The issue is due to missing permission checks for the 'view' right on this specific search path.
Risk Assessment
The organization risks exposure of sensitive user data and security metadata, potentially leading to confidentiality breaches and privilege escalation by unauthorized administrators.
Recommendation
Immediately update Keycloak to a patched version and review FGAPv2 permission configuration to ensure the 'brute-force-user' endpoint enforces the required 'view' permission.
Original NVD description (English source)
A vulnerability was discovered in Keycloak's Admin UI extension that allows certain administrative users to bypass security restrictions. When Fine-Grained Admin Permissions (FGAPv2) are enabled, an administrator who should only be able to search for users (but not view their full details) can use a specific "brute-force-user" endpoint to access a user's full profile. This includes sensitive information and security metadata. The issue occurs because the system fails to check if the administrator has the required "view" permission for that specific user when using this particular search path.

