Keycloak FGAPv2 Priv Escalation via Manage-Users Role
CVE-2025-7784 Published on July 18, 2025
Org.keycloak/keycloak-services: privilege escalation in keycloak admin console (fgapv2 enabled)
A flaw was found in the Keycloak identity and access management system when Fine-Grained Admin Permissions(FGAPv2) are enabled. An administrative user with the manage-users role can escalate their privileges to realm-admin due to improper privilege enforcement. This vulnerability allows unauthorized elevation of access rights, compromising the intended separation of administrative duties and posing a security risk to the realm.
Vulnerability Analysis
CVE-2025-7784 is exploitable with network access, and requires user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality and integrity, and no impact on availability.
Timeline
Reported to Red Hat.
Made public.
Weakness Type
Improper Privilege Management
The software does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
Products Associated with CVE-2025-7784
You can be notified by email with stack.watch whenever vulnerabilities like CVE-2025-7784 are published in these products:
Vulnerable Packages
The following package name and versions may be associated with CVE-2025-7784
| Package Manager | Vulnerable Package | Versions | Fixed In |
|---|---|---|---|
| maven | org.keycloak:keycloak-services | >= 26.2.0, < 26.2.6 | 26.2.6 |
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.