CVE-2026-14614
MediumCVSS 5.4Summary
In Keycloak, within the ClientResource component of admin services with FGAP v2 enabled, a delegated administrator can attach or remove hidden client scopes they are not authorized to manage. This allows injecting unauthorized data or permissions into end-user security tokens.
Risk Assessment
The organization faces privilege escalation by a delegated administrator who can modify client scopes, potentially granting higher access levels in applications than intended.
Recommendation
Immediately update Keycloak to a version containing the fix for CVE-2026-14614 and review FGAP v2 configuration to restrict delegated administrator permissions.
Original NVD description (English source)
A flaw was found in the ClientResource component of Keycloak's admin services when Fine-Grained Admin Permissions (FGAP) v2 is enabled. This issue allows a delegated administrator, who should only have limited control over specific clients, to attach or remove hidden client scopes that they are not authorized to see or manage. As a result, an attacker could inject unauthorized data or permissions into the security tokens issued to end-users, potentially tricking other applications into granting higher levels of access than intended.

