Keycloak FGAP v2 Bypass: Delegated Admin Exposes Parent Group Data
CVE-2026-15945 Published on July 16, 2026
Keycloak-services: keycloak-services: group hierarchy search discloses hidden parent groups under fgap v2
A flaw was found in the group search functionality of the Keycloak server's administrative API. When Fine-Grained Admin Permissions (FGAP) v2 is enabled, a delegated administrator can bypass access restrictions to view parent groups they are not authorized to see. By searching for a child group they have permission to view, the system incorrectly returns the full details of the parent group in the response, leading to the disclosure of sensitive group attributes and configuration.
Vulnerability Analysis
CVE-2026-15945 can be exploited with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality, a small impact on integrity and availability.
Timeline
Reported to Red Hat.
Made public.
Weakness Type
What is an Insecure Direct Object Reference / IDOR Vulnerability?
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
CVE-2026-15945 has been classified to as an Insecure Direct Object Reference / IDOR vulnerability or weakness.
Products Associated with CVE-2026-15945
Want to know whenever a new CVE is published for Red Hat products? stack.watch will email you.