<Vulnerability name="CVE-2026-14613">
    <DocumentDistribution xml:lang="en">Copyright © 2012 Red Hat, Inc. All rights reserved.</DocumentDistribution>
    <ThreatSeverity>Moderate</ThreatSeverity>
    <PublicDate>2026-07-03T15:04:48</PublicDate>
    <Bugzilla id="2496878" url="https://bugzilla.redhat.com/show_bug.cgi?id=2496878" xml:lang="en:us">
keycloak-services: keycloak-services: Keycloak: FGAP v2 role groups endpoint discloses hidden group metadata without group view permission
    </Bugzilla>
    <CVSS3 status="draft">
        <CVSS3BaseScore>4.3</CVSS3BaseScore>
        <CVSS3ScoringVector>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N</CVSS3ScoringVector>
    </CVSS3>
    <Details xml:lang="en:us" source="Mitre">
A vulnerability was discovered in Keycloak's administrative interface that allows certain administrators to see information about groups they shouldn't have access to. When the new Fine-Grained Admin Permissions (FGAP v2) are turned on, an administrator who is allowed to see a specific "role" can also see a list of all groups assigned to that role. The system fails to check if the administrator has permission to see those specific groups. This could allow a restricted administrator to discover "hidden" groups and see their details, such as internal names and custom settings, which might contain sensitive deployment information.
    </Details>
    <Details xml:lang="en:us" source="Red Hat">
A vulnerability was discovered in Keycloak's administrative interface that allows certain administrators to see information about groups they shouldn't have access to. When the new Fine-Grained Admin Permissions (FGAP v2) are turned on, an administrator who is allowed to see a specific "role" can also see a list of all groups assigned to that role. The system fails to check if the administrator has permission to see those specific groups. This could allow a restricted administrator to discover "hidden" groups and see their details, such as internal names and custom settings, which might contain sensitive deployment information.
    </Details>
    <Statement xml:lang="en:us">
The Red Hat Product Security team has assessed the severity of this vulnerability as Moderate. While it allows for an unauthorized disclosure of group metadata, it requires the attacker to already possess a delegated administrative role with specific view permissions. The vulnerability is a result of a missing authorization check in the RoleContainerResource component when FGAP v2 is active. Direct access to the hidden groups remains protected; the leak occurs only through the role-to-group mapping enumeration endpoint.
    </Statement>
    <Acknowledgement xml:lang="en:us">
Red Hat would like to thank yd1ng for reporting this issue.
    </Acknowledgement>
    <PackageState cpe="cpe:/a:redhat:build_keycloak:">
        <ProductName>Red Hat Build of Keycloak</ProductName>
        <FixState>Not affected</FixState>
        <PackageName>keycloak-services</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:build_keycloak:">
        <ProductName>Red Hat Build of Keycloak</ProductName>
        <FixState>Affected</FixState>
        <PackageName>rhbk/keycloak-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:build_keycloak:">
        <ProductName>Red Hat Build of Keycloak</ProductName>
        <FixState>Not affected</FixState>
        <PackageName>rhbk-openshift-rhel9/rhbk-openshift-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:jboss_data_grid:8">
        <ProductName>Red Hat Data Grid 8</ProductName>
        <FixState>Not affected</FixState>
        <PackageName>keycloak-services</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:jbosseapxp">
        <ProductName>Red Hat JBoss Enterprise Application Platform Expansion Pack</ProductName>
        <FixState>Not affected</FixState>
        <PackageName>keycloak-services</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:red_hat_single_sign_on:7">
        <ProductName>Red Hat Single Sign-On 7</ProductName>
        <FixState>Not affected</FixState>
        <PackageName>keycloak-services</PackageName>
    </PackageState>
    <References xml:lang="en:us">
https://www.cve.org/CVERecord?id=CVE-2026-14613
https://nvd.nist.gov/vuln/detail/CVE-2026-14613
    </References>
</Vulnerability>