Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%

CVE-2026-14613— Keycloak-services: keycloak-services: keycloak: fgap v2 role groups endpoint discloses hidden group metadata without group view permission

CVSS 4.3 · Medium EPSS 0.17% · P7

Affected Version Matrix 6

VendorProductVersion RangeStatus
Red HatRed Hat Build of Keycloakanyunaffected
anyaffected
anyunaffected
Red HatRed Hat Data Grid 8anyunaffected
Red HatRed Hat JBoss Enterprise Application Platform Expansion Packanyunaffected
Red HatRed Hat Single Sign-On 7anyunaffected
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-14613

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
Keycloak-services: keycloak-services: keycloak: fgap v2 role groups endpoint discloses hidden group metadata without group view permission
Source: NVD (National Vulnerability Database)
Vulnerability Description
A vulnerability was discovered in Keycloak's administrative interface that allows certain administrators to see information about groups they shouldn't have access to. When the new Fine-Grained Admin Permissions (FGAP v2) are turned on, an administrator who is allowed to see a specific "role" can also see a list of all groups assigned to that role. The system fails to check if the administrator has permission to see those specific groups. This could allow a restricted administrator to discover "hidden" groups and see their details, such as internal names and custom settings, which might contain sensitive deployment information.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Title
Keycloak 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Keycloak是Keycloak组织开源的一种开源身份和访问管理解决方案。 Keycloak存在安全漏洞,该漏洞源于管理界面权限检查缺失,当新细粒度管理员权限启用时,允许查看特定角色的管理员越权查看分配给该角色的所有组列表,可能导致受限管理员发现隐藏组并获取其内部名称和自定义设置等敏感信息。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
Red HatRed Hat Build of Keycloak-cpe:/a:redhat:build_keycloak:
Red HatRed Hat Build of Keycloak-cpe:/a:redhat:build_keycloak:
Red HatRed Hat Build of Keycloak-cpe:/a:redhat:build_keycloak:
Red HatRed Hat Data Grid 8-cpe:/a:redhat:jboss_data_grid:8
Red HatRed Hat JBoss Enterprise Application Platform Expansion Pack-cpe:/a:redhat:jbosseapxp
Red HatRed Hat Single Sign-On 7-cpe:/a:redhat:red_hat_single_sign_on:7

II. Public POCs for CVE-2026-14613

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-14613

登录查看更多情报信息。

Vendor Advisories for CVE-2026-14613 (2)

Same Patch Batch · Red Hat · 2026-07-03 · 6 CVEs total

CVE-2026-145449.8 CRITICALHplip: incomplete fix for cve-2026-8631
CVE-2026-583797.3 HIGHGimp: gimp: heap buffer overflow in read_channel_data()
CVE-2026-146145.4 MEDIUMKeycloak-services: keycloak-services: fgap v2 client scope assignment bypass via clientres
CVE-2026-146154.3 MEDIUMKeycloak-services: keycloak: fgap v2 parent group children endpoint bypasses per-child vie
CVE-2026-146124.2 MEDIUMFreeipa: ipa: idm: freeipa: off-by-one buffer overflows in ipa-otpd oauth2.c during oauth2

IV. Related Vulnerabilities

V. Comments for CVE-2026-14613

No comments yet


Leave a comment