{"api_version":"1","generated_at":"2026-07-12T23:06:20+00:00","cve":"CVE-2026-14209","urls":{"html":"https://cve.report/CVE-2026-14209","api":"https://cve.report/api/cve/CVE-2026-14209.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-14209","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-14209"},"summary":{"title":"Keycloak-admin-ui: keycloak-admin-ui: keycloak: admin ui extension brute-force-user endpoint bypasses fgapv2 user view restrictions","description":"A vulnerability was discovered in Keycloak's Admin UI extension that allows certain administrative users to bypass security restrictions. When Fine-Grained Admin Permissions (FGAPv2) are enabled, an administrator who should only be able to search for users (but not view their full details) can use a specific \"brute-force-user\" endpoint to access a user's full profile. This includes sensitive information and security metadata. The issue occurs because the system fails to check if the administrator has the required \"view\" permission for that specific user when using this particular search path.","state":"PUBLISHED","assigner":"redhat","published_at":"2026-06-30 13:17:10","updated_at":"2026-07-01 20:26:25"},"problem_types":["CWE-639","CWE-639 Authorization Bypass Through User-Controlled Key"],"metrics":[{"version":"3.1","source":"secalert@redhat.com","type":"Secondary","score":"4.3","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N","baseScore":4.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE"}},{"version":"3.1","source":"CNA","type":"CVSS","score":"4.3","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N","data":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":4.3,"baseSeverity":"MEDIUM","confidentialityImpact":"LOW","integrityImpact":"NONE","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N","version":"3.1"}}],"references":[{"url":"https://access.redhat.com/security/cve/CVE-2026-14209","name":"https://access.redhat.com/security/cve/CVE-2026-14209","refsource":"secalert@redhat.com","tags":["Vendor Advisory"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2494837","name":"https://bugzilla.redhat.com/show_bug.cgi?id=2494837","refsource":"secalert@redhat.com","tags":["Vendor Advisory"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-14209","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-14209","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Red Hat","product":"Red Hat Build of Keycloak","version":"","platforms":[]},{"source":"CNA","vendor":"Red Hat","product":"Red Hat Build of Keycloak","version":"","platforms":[]},{"source":"CNA","vendor":"Red Hat","product":"Red Hat Build of Keycloak","version":"","platforms":[]},{"source":"CNA","vendor":"Red Hat","product":"Red Hat JBoss Enterprise Application Platform Expansion Pack","version":"","platforms":[]}],"timeline":[{"source":"CNA","time":"2026-06-29T20:54:20.000Z","lang":"en","value":"Reported to Red Hat."},{"source":"CNA","time":"2026-06-30T11:08:07.532Z","lang":"en","value":"Made public."}],"solutions":[],"workarounds":[{"source":"CNA","title":"","value":"Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.","time":"","lang":"en"}],"exploits":[],"credits":[{"source":"CNA","value":"Red Hat would like to thank Jinyeong Yang for reporting this issue.","lang":"en"}],"nvd_cpes":[{"cve_year":"2026","cve_id":"14209","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"redhat","cpe5":"build_of_keycloak","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2026","cve_id":"14209","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"redhat","cpe5":"jboss_enterprise_application_platform_expansion_pack","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"14209","cve":"CVE-2026-14209","epss":"0.001730000","percentile":"0.070050000","score_date":"2026-07-04","updated_at":"2026-07-05 00:02:27"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2026-14209","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2026-06-30T18:46:23.302478Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2026-06-30T18:46:34.501Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:build_keycloak:"],"defaultStatus":"affected","packageName":"keycloak-admin-ui","product":"Red Hat Build of Keycloak","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:build_keycloak:"],"defaultStatus":"affected","packageName":"rhbk/keycloak-rhel9","product":"Red Hat Build of Keycloak","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:build_keycloak:"],"defaultStatus":"affected","packageName":"rhbk-openshift-rhel9/rhbk-openshift-rhel9","product":"Red Hat Build of Keycloak","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/jbossnetwork/restricted/listSoftware.html","cpes":["cpe:/a:redhat:jbosseapxp"],"defaultStatus":"affected","packageName":"keycloak-admin-ui","product":"Red Hat JBoss Enterprise Application Platform Expansion Pack","vendor":"Red Hat"}],"credits":[{"lang":"en","value":"Red Hat would like to thank Jinyeong Yang for reporting this issue."}],"datePublic":"2026-06-30T11:08:07.532Z","descriptions":[{"lang":"en","value":"A vulnerability was discovered in Keycloak's Admin UI extension that allows certain administrative users to bypass security restrictions. When Fine-Grained Admin Permissions (FGAPv2) are enabled, an administrator who should only be able to search for users (but not view their full details) can use a specific \"brute-force-user\" endpoint to access a user's full profile. This includes sensitive information and security metadata. The issue occurs because the system fails to check if the administrator has the required \"view\" permission for that specific user when using this particular search path."}],"metrics":[{"other":{"content":{"namespace":"https://access.redhat.com/security/updates/classification/","value":"Moderate"},"type":"Red Hat severity rating"}},{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":4.3,"baseSeverity":"MEDIUM","confidentialityImpact":"LOW","integrityImpact":"NONE","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N","version":"3.1"},"format":"CVSS"}],"problemTypes":[{"descriptions":[{"cweId":"CWE-639","description":"Authorization Bypass Through User-Controlled Key","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-06-30T11:48:26.492Z","orgId":"53f830b8-0a3f-465b-8143-3b8a9948e749","shortName":"redhat"},"references":[{"tags":["vdb-entry","x_refsource_REDHAT"],"url":"https://access.redhat.com/security/cve/CVE-2026-14209"},{"name":"RHBZ#2494837","tags":["issue-tracking","x_refsource_REDHAT"],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2494837"}],"timeline":[{"lang":"en","time":"2026-06-29T20:54:20.000Z","value":"Reported to Red Hat."},{"lang":"en","time":"2026-06-30T11:08:07.532Z","value":"Made public."}],"title":"Keycloak-admin-ui: keycloak-admin-ui: keycloak: admin ui extension brute-force-user endpoint bypasses fgapv2 user view restrictions","workarounds":[{"lang":"en","value":"Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}],"x_generator":{"engine":"cvelib 1.8.0"},"x_redhatCweChain":"CWE-639: Authorization Bypass Through User-Controlled Key"}},"cveMetadata":{"assignerOrgId":"53f830b8-0a3f-465b-8143-3b8a9948e749","assignerShortName":"redhat","cveId":"CVE-2026-14209","datePublished":"2026-06-30T11:48:26.492Z","dateReserved":"2026-06-30T10:52:31.949Z","dateUpdated":"2026-06-30T18:46:34.501Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-06-30 13:17:10","lastModifiedDate":"2026-07-01 20:26:25","problem_types":["CWE-639","CWE-639 Authorization Bypass Through User-Controlled Key"],"metrics":{"cvssMetricV31":[{"source":"secalert@redhat.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N","baseScore":4.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":1.4}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-06-30T18:46:23.302478Z","id":"CVE-2026-14209","options":[{"exploitation":"none"},{"automatable":"no"},{"technicalImpact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:redhat:build_of_keycloak:-:*:*:*:*:*:*:*","matchCriteriaId":"824BB506-D01A-4C88-AD4A-3C94A2409CD2"},{"vulnerable":true,"criteria":"cpe:2.3:a:redhat:jboss_enterprise_application_platform_expansion_pack:-:*:*:*:*:*:*:*","matchCriteriaId":"0A24CBFB-4900-47A5-88D2-A44C929603DC"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"14209","Ordinal":"1","Title":"Keycloak-admin-ui: keycloak-admin-ui: keycloak: admin ui extensi","CVE":"CVE-2026-14209","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"14209","Ordinal":"1","NoteData":"A vulnerability was discovered in Keycloak's Admin UI extension that allows certain administrative users to bypass security restrictions. When Fine-Grained Admin Permissions (FGAPv2) are enabled, an administrator who should only be able to search for users (but not view their full details) can use a specific \"brute-force-user\" endpoint to access a user's full profile. This includes sensitive information and security metadata. The issue occurs because the system fails to check if the administrator has the required \"view\" permission for that specific user when using this particular search path.","Type":"Description","Title":"Keycloak-admin-ui: keycloak-admin-ui: keycloak: admin ui extensi"}]}}}