Home

Description

A flaw was found in Keycloak. An IDOR (Broken Access Control) vulnerability exists in the admin API endpoints for authorization resource management, specifically in ResourceSetService and PermissionTicketService. The system checks authorization against the resourceServer (client) ID provided in the API request, but the backend database lookup and modification operations (findById, delete) only use the resourceId. This mismatch allows an authenticated attacker with fine-grained admin permissions for one client (e.g., Client A) to delete or update resources belonging to another client (Client B) within the same realm by supplying a valid resource ID.

PUBLISHED Reserved 2025-12-16 | Published 2025-12-16 | Updated 2025-12-16 | Assigner redhat




MEDIUM: 6.0CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:L

Problem types

Authentication Bypass by Alternate Name

Product status

Default status
affected

Timeline

2025-12-16:Reported to Red Hat.
2025-12-16:Made public.

Credits

Red Hat would like to thank Joshua Rogers for reporting this issue.

References

access.redhat.com/security/cve/CVE-2025-14777 vdb-entry

bugzilla.redhat.com/show_bug.cgi?id=2422596 (RHBZ#2422596) issue-tracking

cve.org (CVE-2025-14777)

nvd.nist.gov (CVE-2025-14777)

Download JSON

Data based on CVE®. Copyright © 1999-2025, The MITRE Corporation. All rights reserved.