Keycloak Admin API IDOR via ResourceSetService
CVE-2025-14777 Published on December 16, 2025

Keycloak: keycloak idor in realm client creating/deleting
A flaw was found in Keycloak. An IDOR (Broken Access Control) vulnerability exists in the admin API endpoints for authorization resource management, specifically in ResourceSetService and PermissionTicketService. The system checks authorization against the resourceServer (client) ID provided in the API request, but the backend database lookup and modification operations (findById, delete) only use the resourceId. This mismatch allows an authenticated attacker with fine-grained admin permissions for one client (e.g., Client A) to delete or update resources belonging to another client (Client B) within the same realm by supplying a valid resource ID.

Vendor Advisory Vendor Advisory NVD

Vulnerability Analysis

CVE-2025-14777 can be exploited with network access, and requires user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality, a high impact on integrity, and a small impact on availability.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
HIGH
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
LOW
Integrity Impact:
HIGH
Availability Impact:
LOW

Timeline

Reported to Red Hat.

Made public.

Weakness Type

Authentication Bypass by Alternate Name

The software performs authentication based on the name of a resource being accessed, or the name of the actor performing the access, but it does not properly check all possible names for that resource or actor.


Products Associated with CVE-2025-14777

stack.watch emails you whenever new vulnerabilities are published in Red Hat Build Keycloak or Red Hat Keycloak. Just hit a watch button to start following.

Red Hat Build Keycloak
 
Red Hat Keycloak
 

Affected Versions

Red Hat build of Keycloak 26.4: Red Hat build of Keycloak 26.4: Red Hat build of Keycloak 26.4: Red Hat build of Keycloak 26.4.11:

Exploit Probability

EPSS
0.04%
Percentile
11.25%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.