← back
CVE-2026-14614

Keycloak-services: keycloak-services: fgap v2 client scope assignment bypass via clientresource

CVSS 5.4 MEDIUM
Vexday Risk Score
10Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 5.4EPSS KEV nãoPoC Nuclei Metasploit Patch
Lifecycle
03 Jul 2026Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
A flaw was found in the ClientResource component of Keycloak's admin services when Fine-Grained Admin Permissions (FGAP) v2 is enabled. This issue allows a delegated administrator, who should only have limited control over specific clients, to attach or remove hidden client scopes that they are not authorized to see or manage. As a result, an attacker could inject unauthorized data or permissions into the security tokens issued to end-users, potentially tricking other applications into granting higher levels of access than intended.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N