A flaw was found in the Keycloak identity and access management system when Fine-Grained Admin Permissions(FGAPv2) are enabled. An administrative user with the manage-users role can escalate their privileges to realm-admin due to improper privilege enforcement. This vulnerability allows unauthorized elevation of access rights, compromising the intended separation of administrative duties and posing a security risk to the realm.
Fixes

Solution

No solution given by the vendor.


Workaround

Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

History

Mon, 11 Aug 2025 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Redhat build Of Keycloak
CPEs cpe:2.3:a:redhat:build_of_keycloak:-:*:*:*:-:*:*:*
Vendors & Products Redhat build Of Keycloak

Tue, 29 Jul 2025 10:30:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:build_keycloak: cpe:/a:redhat:build_keycloak:26.2::el9
References

Fri, 18 Jul 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Fri, 18 Jul 2025 14:00:00 +0000

Type Values Removed Values Added
Description No description is available for this CVE. A flaw was found in the Keycloak identity and access management system when Fine-Grained Admin Permissions(FGAPv2) are enabled. An administrative user with the manage-users role can escalate their privileges to realm-admin due to improper privilege enforcement. This vulnerability allows unauthorized elevation of access rights, compromising the intended separation of administrative duties and posing a security risk to the realm.
Title org.keycloak/keycloak-services: Privilege Escalation in Keycloak Admin Console (FGAPv2 Enabled) Org.keycloak/keycloak-services: privilege escalation in keycloak admin console (fgapv2 enabled)
First Time appeared Redhat
Redhat build Keycloak
Redhat jboss Enterprise Application Platform
Redhat jbosseapxp
Redhat red Hat Single Sign On
CPEs cpe:/a:redhat:build_keycloak:
cpe:/a:redhat:jboss_enterprise_application_platform:8
cpe:/a:redhat:jbosseapxp
cpe:/a:redhat:red_hat_single_sign_on:7
Vendors & Products Redhat
Redhat build Keycloak
Redhat jboss Enterprise Application Platform
Redhat jbosseapxp
Redhat red Hat Single Sign On
References

Fri, 18 Jul 2025 12:15:00 +0000

Type Values Removed Values Added
Description No description is available for this CVE.
Title org.keycloak/keycloak-services: Privilege Escalation in Keycloak Admin Console (FGAPv2 Enabled)
Weaknesses CWE-269
References
Metrics threat_severity

None

cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N'}

threat_severity

Moderate


cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2025-07-29T10:19:02.221Z

Reserved: 2025-07-18T06:05:57.305Z

Link: CVE-2025-7784

cve-icon Vulnrichment

Updated: 2025-07-18T14:54:27.368Z

cve-icon NVD

Status : Analyzed

Published: 2025-07-18T14:15:26.983

Modified: 2025-08-11T19:16:40.103

Link: CVE-2025-7784

cve-icon Redhat

Severity : Moderate

Publid Date: 2025-07-18T00:00:00Z

Links: CVE-2025-7784 - Bugzilla

cve-icon OpenCVE Enrichment

No data.