Keycloak FGAP v2 Bypass: Delegated Admin Exposes Parent Group Data
CVE-2026-15945 Published on July 16, 2026

Keycloak-services: keycloak-services: group hierarchy search discloses hidden parent groups under fgap v2
A flaw was found in the group search functionality of the Keycloak server's administrative API. When Fine-Grained Admin Permissions (FGAP) v2 is enabled, a delegated administrator can bypass access restrictions to view parent groups they are not authorized to see. By searching for a child group they have permission to view, the system incorrectly returns the full details of the parent group in the response, leading to the disclosure of sensitive group attributes and configuration.

NVD

Vulnerability Analysis

CVE-2026-15945 can be exploited with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality, a small impact on integrity and availability.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
LOW
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
LOW
Integrity Impact:
NONE
Availability Impact:
NONE

Timeline

Reported to Red Hat.

Made public.

Weakness Type

What is an Insecure Direct Object Reference / IDOR Vulnerability?

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

CVE-2026-15945 has been classified to as an Insecure Direct Object Reference / IDOR vulnerability or weakness.


Products Associated with CVE-2026-15945

Want to know whenever a new CVE is published for Red Hat products? stack.watch will email you.

 
 
 
 

Affected Versions

Red Hat Build of Keycloak: Red Hat Build of Keycloak: Red Hat Build of Keycloak: Red Hat Data Grid 8: Red Hat JBoss Enterprise Application Platform Expansion Pack: Red Hat Single Sign-On 7: