Description
A vulnerability was discovered in Keycloak's Admin UI extension that allows certain administrative users to bypass security restrictions. When Fine-Grained Admin Permissions (FGAPv2) are enabled, an administrator who should only be able to search for users (but not view their full details) can use a specific "brute-force-user" endpoint to access a user's full profile. This includes sensitive information and security metadata. The issue occurs because the system fails to check if the administrator has the required "view" permission for that specific user when using this particular search path.
Published: 2026-06-30
Score: 4.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in Keycloak's Admin UI extension allows certain administrators to bypass Fine‑Grained Admin Permissions (FGAPv2) when searching for users. The specific "brute‑force‑user" endpoint does not verify whether the caller holds the required "view" permission on individual users, enabling a user with only search privileges to retrieve a full profile of any user, including sensitive data. This privilege or permission bypass (CWE‑639) may lead to unintended disclosure of user information and security metadata.

Affected Systems

Affected systems are Red Hat Build of Keycloak and the Red Hat JBoss Enterprise Application Platform Expansion Pack. No specific affected versions are referenced in the advisory.

Risk and Exploitability

The CVSS base score is 4.3, indicating moderate severity. EPSS data is not available and the vulnerability is not listed in CISA KEV. The likely attack vector is an authenticated administrator possessing search rights; exploitation requires access to the internal brute‑force‑user API endpoint. Once triggered, such an attacker can view full profiles of all users, potentially exposing sensitive information and security metadata. The risk remains contingent on internal network exposure and role assignment. No effective workaround is currently offered by the vendor; until a patch is released, users should consider restricting API access or applying stricter role assignments.

Generated by OpenCVE AI on June 30, 2026 at 15:27 UTC.

Remediation

Vendor Workaround

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.

OpenCVE Recommended Actions

  • Reconfigure role assignments to separate search and view privileges, preventing administrators lacking full view permission from using the brute‑force‑user endpoint.
  • Deploy network‑level controls—such as firewalls, reverse proxies, or API gateways—to block or rate‑limit access to the brute‑force‑user endpoint for accounts without view permission, mitigating exploitation until a vendor fix is available.
  • Implement comprehensive audit logging for admin UI actions, monitor calls to the brute‑force‑user endpoint, and set up alerts for anomalous activity to detect potential misuse.
  • Apply the official security update as soon as it is released to eliminate the missing permission check.

Generated by OpenCVE AI on June 30, 2026 at 15:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 30 Jun 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Redhat build Of Keycloak
Redhat jboss Enterprise Application Platform Expansion Pack
Vendors & Products Redhat build Of Keycloak
Redhat jboss Enterprise Application Platform Expansion Pack

Tue, 30 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 30 Jun 2026 12:30:00 +0000

Type Values Removed Values Added
Description A vulnerability was discovered in Keycloak's Admin UI extension that allows certain administrative users to bypass security restrictions. When Fine-Grained Admin Permissions (FGAPv2) are enabled, an administrator who should only be able to search for users (but not view their full details) can use a specific "brute-force-user" endpoint to access a user's full profile. This includes sensitive information and security metadata. The issue occurs because the system fails to check if the administrator has the required "view" permission for that specific user when using this particular search path.
Title Keycloak-admin-ui: keycloak-admin-ui: keycloak: admin ui extension brute-force-user endpoint bypasses fgapv2 user view restrictions
First Time appeared Redhat
Redhat build Keycloak
Redhat jbosseapxp
Weaknesses CWE-639
CPEs cpe:/a:redhat:build_keycloak:
cpe:/a:redhat:jbosseapxp
Vendors & Products Redhat
Redhat build Keycloak
Redhat jbosseapxp
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Redhat Build Keycloak Build Of Keycloak Jboss Enterprise Application Platform Expansion Pack Jbosseapxp
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-06-30T18:46:34.501Z

Reserved: 2026-06-30T10:52:31.949Z

Link: CVE-2026-14209

cve-icon Vulnrichment

Updated: 2026-06-30T18:46:30.339Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-30T19:45:04Z

Weaknesses
  • CWE-639

    Authorization Bypass Through User-Controlled Key