CVE-2026-14613

medium Red Hat
CVSS v3 Base Score
4.3
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
EPSS Score
0.2%
Exploitation probability in 30 days
Top 92% most likely to be exploited
Attack Characteristics
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Confidentiality
Low
Integrity
None
Availability
None
Published: July 3, 2026 (6 days ago)
Last Modified: July 3, 2026
Vendor: Red Hat
Source: REDHAT

Description

A vulnerability was discovered in Keycloak's administrative interface that allows certain administrators to see information about groups they shouldn't have access to. When the new Fine-Grained Admin Permissions (FGAP v2) are turned on, an administrator who is allowed to see a specific "role" can also see a list of all groups assigned to that role. The system fails to check if the administrator has permission to see those specific groups. This could allow a restricted administrator to discover "hidden" groups and see their details, such as internal names and custom settings, which might contain sensitive deployment information.

Affected Products

Red Hat Build of KeycloakRed Hat Data Grid 8Red Hat JBoss Enterprise Application Platform Expansion PackRed Hat Single Sign-On 7

References