CVE Catalog

CVE-2026-14614

MediumCVSS 5.4
Published: Translated: NVD NIST

Summary

In Keycloak, within the ClientResource component of admin services with FGAP v2 enabled, a delegated administrator can attach or remove hidden client scopes they are not authorized to manage. This allows injecting unauthorized data or permissions into end-user security tokens.

Risk Assessment

The organization faces privilege escalation by a delegated administrator who can modify client scopes, potentially granting higher access levels in applications than intended.

Recommendation

Immediately update Keycloak to a version containing the fix for CVE-2026-14614 and review FGAP v2 configuration to restrict delegated administrator permissions.

Original NVD description (English source)

A flaw was found in the ClientResource component of Keycloak's admin services when Fine-Grained Admin Permissions (FGAP) v2 is enabled. This issue allows a delegated administrator, who should only have limited control over specific clients, to attach or remove hidden client scopes that they are not authorized to see or manage. As a result, an attacker could inject unauthorized data or permissions into the security tokens issued to end-users, potentially tricking other applications into granting higher levels of access than intended.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS