{"api_version":"1","generated_at":"2026-07-03T18:06:56+00:00","cve":"CVE-2026-14615","urls":{"html":"https://cve.report/CVE-2026-14615","api":"https://cve.report/api/cve/CVE-2026-14615.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-14615","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-14615"},"summary":{"title":"Keycloak-services: keycloak: fgap v2 parent group children endpoint bypasses per-child view permission filter","description":"A flaw was found in the Fine-Grained Admin Permissions (FGAP) v2 implementation within Keycloak's administrative services. When FGAP v2 is enabled, the system fails to properly filter child groups based on the caller's specific permissions when requested through a parent group. This allows a delegated administrator to view details of child groups they are not authorized to access directly, including group names, paths, and custom attributes.","state":"PUBLISHED","assigner":"redhat","published_at":"2026-07-03 16:16:55","updated_at":"2026-07-03 16:16:55"},"problem_types":["CWE-1220","CWE-1220 Insufficient Granularity of Access Control"],"metrics":[{"version":"3.1","source":"secalert@redhat.com","type":"Primary","score":"4.3","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N","baseScore":4.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE"}},{"version":"3.1","source":"CNA","type":"CVSS","score":"4.3","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N","data":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":4.3,"baseSeverity":"MEDIUM","confidentialityImpact":"LOW","integrityImpact":"NONE","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N","version":"3.1"}}],"references":[{"url":"https://access.redhat.com/security/cve/CVE-2026-14615","name":"https://access.redhat.com/security/cve/CVE-2026-14615","refsource":"secalert@redhat.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2496891","name":"https://bugzilla.redhat.com/show_bug.cgi?id=2496891","refsource":"secalert@redhat.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-14615","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-14615","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Red Hat","product":"Red Hat Build of Keycloak","version":"","platforms":[]}],"timeline":[{"source":"CNA","time":"2026-07-02T17:46:15.000Z","lang":"en","value":"Reported to Red Hat."},{"source":"CNA","time":"2026-07-03T15:37:56.396Z","lang":"en","value":"Made public."}],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:build_keycloak:"],"defaultStatus":"affected","packageName":"rhbk/keycloak-rhel9","product":"Red Hat Build of Keycloak","vendor":"Red Hat"}],"datePublic":"2026-07-03T15:37:56.396Z","descriptions":[{"lang":"en","value":"A flaw was found in the Fine-Grained Admin Permissions (FGAP) v2 implementation within Keycloak's administrative services. When FGAP v2 is enabled, the system fails to properly filter child groups based on the caller's specific permissions when requested through a parent group. This allows a delegated administrator to view details of child groups they are not authorized to access directly, including group names, paths, and custom attributes."}],"metrics":[{"other":{"content":{"namespace":"https://access.redhat.com/security/updates/classification/","value":"Moderate"},"type":"Red Hat severity rating"}},{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":4.3,"baseSeverity":"MEDIUM","confidentialityImpact":"LOW","integrityImpact":"NONE","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N","version":"3.1"},"format":"CVSS"}],"problemTypes":[{"descriptions":[{"cweId":"CWE-1220","description":"Insufficient Granularity of Access Control","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-07-03T15:47:08.632Z","orgId":"53f830b8-0a3f-465b-8143-3b8a9948e749","shortName":"redhat"},"references":[{"tags":["vdb-entry","x_refsource_REDHAT"],"url":"https://access.redhat.com/security/cve/CVE-2026-14615"},{"name":"RHBZ#2496891","tags":["issue-tracking","x_refsource_REDHAT"],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2496891"}],"timeline":[{"lang":"en","time":"2026-07-02T17:46:15.000Z","value":"Reported to Red Hat."},{"lang":"en","time":"2026-07-03T15:37:56.396Z","value":"Made public."}],"title":"Keycloak-services: keycloak: fgap v2 parent group children endpoint bypasses per-child view permission filter","x_generator":{"engine":"cvelib 1.8.0"},"x_redhatCweChain":"CWE-1220: Insufficient Granularity of Access Control"}},"cveMetadata":{"assignerOrgId":"53f830b8-0a3f-465b-8143-3b8a9948e749","assignerShortName":"redhat","cveId":"CVE-2026-14615","datePublished":"2026-07-03T15:47:08.632Z","dateReserved":"2026-07-03T15:30:28.048Z","dateUpdated":"2026-07-03T15:47:08.632Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-07-03 16:16:55","lastModifiedDate":"2026-07-03 16:16:55","problem_types":["CWE-1220","CWE-1220 Insufficient Granularity of Access Control"],"metrics":{"cvssMetricV31":[{"source":"secalert@redhat.com","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N","baseScore":4.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":1.4}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"14615","Ordinal":"1","Title":"Keycloak-services: keycloak: fgap v2 parent group children endpo","CVE":"CVE-2026-14615","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"14615","Ordinal":"1","NoteData":"A flaw was found in the Fine-Grained Admin Permissions (FGAP) v2 implementation within Keycloak's administrative services. When FGAP v2 is enabled, the system fails to properly filter child groups based on the caller's specific permissions when requested through a parent group. This allows a delegated administrator to view details of child groups they are not authorized to access directly, including group names, paths, and custom attributes.","Type":"Description","Title":"Keycloak-services: keycloak: fgap v2 parent group children endpo"}]}}}