Zero Day MonitorZDM
DashboardVulnerabilitiesTrendingZero-DaysNewsAbout
Login
ImpressumPrivacy Policy
Zero Day Monitor © 2026
3145 articles · 171742 vulns · 36/41 feeds (7d)
← Back to list
4.3
CVE-2026-14613EXPLOITED
red hat · red hat build of keycloak

Keycloak-services: keycloak-services: keycloak: fgap v2 role groups endpoint discloses hidden group metadata without group view permission

Description

A vulnerability was discovered in Keycloak's administrative interface that allows certain administrators to see information about groups they shouldn't have access to. When the new Fine-Grained Admin Permissions (FGAP v2) are turned on, an administrator who is allowed to see a specific "role" can also see a list of all groups assigned to that role. The system fails to check if the administrator has permission to see those specific groups. This could allow a restricted administrator to discover "hidden" groups and see their details, such as internal names and custom settings, which might contain sensitive deployment information.

Affected Products

VendorProductVersions
red hatred hat build of keycloak—

Also Affects

Downstream vendors/products affected by this vulnerability

VendorProductSourceConfidence
open sourceopen source keycloakcert_advisory90%

References

  • https://access.redhat.com/security/cve/CVE-2026-14613(vdb-entry, x_refsource_REDHAT)
  • https://bugzilla.redhat.com/show_bug.cgi?id=2496878(issue-tracking, x_refsource_REDHAT)

Related News (2 articles)

Tier B
BSI Advisories4h ago
[NEU] [UNGEPATCHT] [mittel] Keycloak: Mehrere Schwachstellen
→ No new info (linked only)
Tier C
VulDB2d ago
CVE-2026-14613 | Keycloak on Red Hat permission
→ No new info (linked only)
CVSS 3.14.3 MEDIUM
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CISA KEV❌ No
Actively exploited✅ Yes
PublishedJul 3, 2026
Last enriched2d agov2
Trending Score53
Source articles2
Independent2
Info Completeness5/14
Missing: versions, cvss, epss, cwe, kev, exploit, patch, iocs, mitre_attack

Community Vote

0
Login to vote
0 upvotes0 downvotes
No votes yet

Related CVEs (5)

MEDIUMCVE-2026-14614EXP
Keycloak-services: keycloak-services: fgap v2 client scope assignment bypass via clientresource
Trending: 53
NONECVE-2026-58379EXP
Gimp: gimp: heap buffer overflow in read_channel_data()
Trending: 50
HIGHCVE-2026-9165EXP
Stackrox: stackrox: unbounded graphql query depth allows authenticated denial of service
Trending: 47
MEDIUMCVE-2026-14615
Keycloak-services: keycloak: fgap v2 parent group children endpoint bypasses per-child view permission filter
Trending: 34
HIGHCVE-2026-55628EXP
ImageMagick: Policy Bypass in concatenate operation due to missing checks
Trending: 32

Pin to Dashboard

Verification

State: unverified
Confidence: 0%

Vulnerability Timeline

CVE Published
Jul 3, 2026
Actively Exploited
Jul 3, 2026
Discovered by ZDM
Jul 3, 2026
Updated: severity, activelyExploited
Jul 3, 2026

Version History

v2
Last enriched 2d ago
v2Tier C2d ago

Updated severity to CRITICAL and marked exploit availability as false.

severityactivelyExploited
via VulDB
v12d ago

Initial creation