<Vulnerability name="CVE-2026-14615">
    <DocumentDistribution xml:lang="en">Copyright © 2012 Red Hat, Inc. All rights reserved.</DocumentDistribution>
    <ThreatSeverity>Moderate</ThreatSeverity>
    <PublicDate>2026-07-03T15:37:56</PublicDate>
    <Bugzilla id="2496891" url="https://bugzilla.redhat.com/show_bug.cgi?id=2496891" xml:lang="en:us">
keycloak-services: keycloak: FGAP v2 parent group children endpoint bypasses per-child view permission filter
    </Bugzilla>
    <CVSS3 status="draft">
        <CVSS3BaseScore>4.3</CVSS3BaseScore>
        <CVSS3ScoringVector>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N</CVSS3ScoringVector>
    </CVSS3>
    <CWE>CWE-1220</CWE>
    <Details xml:lang="en:us" source="Mitre">
A flaw was found in the Fine-Grained Admin Permissions (FGAP) v2 implementation within Keycloak's administrative services. When FGAP v2 is enabled, the system fails to properly filter child groups based on the caller's specific permissions when requested through a parent group. This allows a delegated administrator to view details of child groups they are not authorized to access directly, including group names, paths, and custom attributes.
    </Details>
    <Details xml:lang="en:us" source="Red Hat">
A flaw was found in the Fine-Grained Admin Permissions (FGAP) v2 implementation within Keycloak's administrative services. When FGAP v2 is enabled, the system fails to properly filter child groups based on the caller's specific permissions when requested through a parent group. This allows a delegated administrator to view details of child groups they are not authorized to access directly, including group names, paths, and custom attributes.
    </Details>
    <Statement xml:lang="en:us">
The Red Hat Product Security team has assessed the severity of this vulnerability as Moderate, given that it requires the attacker to possess a delegated administrator role with specific permissions. Successful exploitation allows an attacker to disclose sensitive group metadata and attributes that should be restricted. The vulnerability's root cause is an improper conditional check in the group retrieval logic that fails to apply permission filters when FGAP v2 is enabled.
    </Statement>
    <Acknowledgement xml:lang="en:us">
Red Hat would like to thank yd1ng for reporting this issue.
    </Acknowledgement>
    <PackageState cpe="cpe:/a:redhat:build_keycloak:">
        <ProductName>Red Hat Build of Keycloak</ProductName>
        <FixState>Affected</FixState>
        <PackageName>rhbk/keycloak-rhel9</PackageName>
    </PackageState>
    <References xml:lang="en:us">
https://www.cve.org/CVERecord?id=CVE-2026-14615
https://nvd.nist.gov/vuln/detail/CVE-2026-14615
    </References>
</Vulnerability>