Keycloak ClientResource Permission Bypass via FGAP v2
CVE-2026-14614 Published on July 3, 2026

Keycloak-services: keycloak-services: fgap v2 client scope assignment bypass via clientresource
A flaw was found in the ClientResource component of Keycloak's admin services when Fine-Grained Admin Permissions (FGAP) v2 is enabled. This issue allows a delegated administrator, who should only have limited control over specific clients, to attach or remove hidden client scopes that they are not authorized to see or manage. As a result, an attacker could inject unauthorized data or permissions into the security tokens issued to end-users, potentially tricking other applications into granting higher levels of access than intended.

NVD

Vulnerability Analysis

CVE-2026-14614 is exploitable with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality and integrity, and no impact on availability.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
LOW
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
LOW
Integrity Impact:
LOW
Availability Impact:
NONE

Timeline

Reported to Red Hat.

Made public. 1 day later.


Products Associated with CVE-2026-14614

Want to know whenever a new CVE is published for Red Hat products? stack.watch will email you.

 
 
 
 

Affected Versions

Red Hat Build of Keycloak: Red Hat Build of Keycloak: Red Hat Build of Keycloak: Red Hat Data Grid 8: Red Hat JBoss Enterprise Application Platform Expansion Pack: Red Hat Single Sign-On 7: