CVE-2026-14615
MediumCVSS 4.3Summary
A flaw in the Fine-Grained Admin Permissions (FGAP) v2 implementation in Keycloak causes improper filtering of child groups based on caller permissions. A delegated administrator can view details of unauthorized child groups, including names, paths, and custom attributes.
Risk Assessment
The risk involves unauthorized disclosure of sensitive organizational structure and group attributes, potentially violating the principle of least privilege and leading to privilege escalation.
Recommendation
Immediately update Keycloak to a version containing the fix for CVE-2026-14615 and verify FGAP v2 configuration to ensure proper child group filtering.
Original NVD description (English source)
A flaw was found in the Fine-Grained Admin Permissions (FGAP) v2 implementation within Keycloak's administrative services. When FGAP v2 is enabled, the system fails to properly filter child groups based on the caller's specific permissions when requested through a parent group. This allows a delegated administrator to view details of child groups they are not authorized to access directly, including group names, paths, and custom attributes.

