Impact
A missing authorization check in the GroupResource.addChild() endpoint of Keycloak’s Admin REST API allows an authenticated user with limited administrative rights to reparent any existing group. When Fine‑Grained Admin Permissions v2 is enabled, an attacker with control over a low‑privilege group can move a highly privileged group that carries the realm‑admin role into their own hierarchy. This unauthorized reparenting grants the attacker full management privileges, including the ability to reset passwords of privileged members, effectively enabling a complete realm takeover and compromising confidentiality, integrity and availability.
Affected Systems
The vulnerability exists in the Red Hat Build of Keycloak. No specific version range is listed; organizations should verify whether their deployment implements the GroupResource.addChild() operation and FGAPv2.
Risk and Exploitability
The CVSS score of 7.7 indicates a high impact when combined with the fact that the attacker only needs authenticated access to the REST API. EPSS is not available, but the lack of an exploit in the KEV catalog suggests no widely known public exploitation yet. However, the exploit can be carried out remotely by anyone who can reach the Admin REST API, making network exposure a key factor. The recommended mitigation is to implement the official patch and, where premature, to restrict the REST API to trusted networks or localhost, as outlined in the vendor workaround. Disabling FGAPv2 can also reduce the risk if it is not required.
OpenCVE Enrichment