CVE-2026-15945 in Keycloak
Summary
by MITRE • 07/16/2026
A flaw was found in the group search functionality of the Keycloak server's administrative API. When Fine-Grained Admin Permissions (FGAP) v2 is enabled, a delegated administrator can bypass access restrictions to view parent groups they are not authorized to see. By searching for a child group they have permission to view, the system incorrectly returns the full details of the parent group in the response, leading to the disclosure of sensitive group attributes and configuration.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 07/16/2026
This vulnerability resides within Keycloak's administrative API implementation where the group search functionality fails to properly enforce access control boundaries when Fine-Grained Admin Permissions v2 is active. The flaw represents a classic authorization bypass issue that stems from improper privilege validation during search operations, allowing unauthorized access to parent group information through legitimate child group queries. The vulnerability manifests specifically when a delegated administrator attempts to search for groups they have limited permissions to view, creating an unexpected information disclosure scenario where the system's response includes data beyond what the user should logically be able to access.
The technical implementation flaw occurs at the API layer where the search functionality does not adequately verify whether the requesting administrator has proper authorization to access the parent group context of a child group they are permitted to view. This misconfiguration creates an information leakage pathway that violates fundamental security principles of least privilege and principle of least authority, as defined in CWE-284. The system's access control logic fails to properly isolate group hierarchies, allowing lateral movement through the group structure even when direct access to parent groups is restricted.
From an operational impact perspective, this vulnerability enables malicious or compromised administrators to discover sensitive configuration details about groups they should not have visibility into, potentially exposing organizational structures, user mappings, and administrative privileges that could be leveraged for further attacks. The disclosure includes attributes and configuration data of parent groups that may contain critical information about group membership, permissions, and organizational relationships, making this a significant concern for environments where group-based access control is heavily relied upon. This weakness can be exploited to map out entire group hierarchies and understand the broader administrative landscape.
The vulnerability's exploitation aligns with ATT&CK technique T1078.004 (Valid Accounts: Cloud Accounts) and T1566.002 (Phishing: Spearphishing Attachments) where unauthorized information discovery can lead to more sophisticated attacks. Organizations using Keycloak with FGAP v2 enabled should immediately implement mitigations including disabling the vulnerable group search functionality until a patch is applied, implementing additional monitoring for unusual search patterns, and reviewing existing delegated administrator permissions to minimize potential impact. The fix requires proper access control validation during API search operations and ensuring that group hierarchy traversal respects permission boundaries as defined in the FGAP configuration.
Security teams should consider this vulnerability as part of their broader assessment of Keycloak's administrative API security posture, particularly focusing on how search operations interact with access control mechanisms. The flaw demonstrates the importance of thorough testing of privilege boundaries in complex permission systems and highlights potential gaps in automated security validation processes that might miss such subtle authorization bypass scenarios. Organizations relying on Keycloak for identity management should also review their group-based access control policies to ensure proper segregation of duties and minimize the blast radius of potential exploitation.