Description
A flaw was found in Keycloak. An IDOR (Broken Access Control) vulnerability exists in the admin API endpoints for authorization resource management, specifically in ResourceSetService and PermissionTicketService. The system checks authorization against the resourceServer (client) ID provided in the API request, but the backend database lookup and modification operations (findById, delete) only use the resourceId. This mismatch allows an authenticated attacker with fine-grained admin permissions for one client (e.g., Client A) to delete or update resources belonging to another client (Client B) within the same realm by supplying a valid resource ID.
Published: 2025-12-16
Score: 6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized resource manipulation
Action: Apply Patch
AI Analysis

Impact

A broken access control flaw in Keycloak allows an authenticated attacker with administrative privileges on a single client to delete or modify authorization resources belonging to a different client within the same realm. The vulnerability arises because the admin API endpoints for resource and permission ticket management validate the client ID provided in the request but perform database lookup and modification solely on the resource ID, creating an IDOR condition. This leads to unintended privilege escalation and unauthorized alteration of resource definitions.

Affected Systems

The affected products are the Red Hat build of Keycloak 26.4 and 26.4.11 deployed on Enterprise Linux 9, where the admin API is exposed.

Risk and Exploitability

The CVSS score is 6, indicating a moderate impact. The EPSS score is less than 1%, meaning the probability of exploitation is very low, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is an authenticated user with fine‑grained client admin rights who sends API requests to ResourceSetService or PermissionTicketService with the resource ID of another client’s resource. Because only the resource ID is checked for deletion or update, the attacker can delete or modify resources belonging to a separate client in the same realm.

Generated by OpenCVE AI on April 28, 2026 at 18:33 UTC.

Remediation

Vendor Workaround

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

OpenCVE Recommended Actions

  • Apply the Red Hat errata RHSA-2026:6477 or RHSA-2026:6478 to upgrade Keycloak to the patched version that fixes the IDOR bug.
  • Review client‑level administrative permissions and ensure that users only possess admin rights for the clients they own, preventing cross‑client resource manipulation.
  • Implement monitoring for abnormal usage of the admin API endpoints, such as unexpected resource deletions or updates, to detect potential exploitation attempts.
  • No official workaround is provided by Red Hat for this vulnerability.

Generated by OpenCVE AI on April 28, 2026 at 18:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:build_keycloak: cpe:/a:redhat:build_keycloak:26.4::el9
References

Tue, 16 Dec 2025 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 16 Dec 2025 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Tue, 16 Dec 2025 05:15:00 +0000

Type Values Removed Values Added
Description A flaw was found in Keycloak. An IDOR (Broken Access Control) vulnerability exists in the admin API endpoints for authorization resource management, specifically in ResourceSetService and PermissionTicketService. The system checks authorization against the resourceServer (client) ID provided in the API request, but the backend database lookup and modification operations (findById, delete) only use the resourceId. This mismatch allows an authenticated attacker with fine-grained admin permissions for one client (e.g., Client A) to delete or update resources belonging to another client (Client B) within the same realm by supplying a valid resource ID.
Title Keycloak: keycloak idor in realm client creating/deleting
First Time appeared Redhat
Redhat build Keycloak
Weaknesses CWE-289
CPEs cpe:/a:redhat:build_keycloak:
Vendors & Products Redhat
Redhat build Keycloak
References
Metrics cvssV3_1

{'score': 6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:L'}

Subscriptions

Redhat Build Keycloak
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-04-02T16:39:34.751Z

Reserved: 2025-12-16T04:56:14.486Z

Link: CVE-2025-14777

cve-icon Vulnrichment

Updated: 2025-12-16T19:09:34.260Z

cve-icon NVD

Status : Deferred

Published: 2025-12-16T05:16:11.727

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-14777

cve-icon Redhat

Severity : Moderate

Publid Date: 2025-12-16T04:57:00Z

Links: CVE-2025-14777 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T18:45:15Z

Weaknesses