Home

Description

A flaw was found in Keycloak. A significant Broken Access Control vulnerability exists in the UserManagedPermissionService (UMA Protection API). When updating or deleting a UMA policy associated with multiple resources, the authorization check only verifies the caller's ownership against the first resource in the policy's list. This allows a user (Owner A) who owns one resource (RA) to update a shared policy and modify authorization rules for other resources (e.g., RB) in that same policy, even if those other resources are owned by a different user (Owner B). This constitutes a horizontal privilege escalation.

PUBLISHED Reserved 2025-12-16 | Published 2026-02-09 | Updated 2026-02-10 | Assigner redhat




MEDIUM: 5.4CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Problem types

Incorrect Privilege Assignment

Product status

Default status
affected

26.2.13-1 (rpm) before *
unaffected

Default status
affected

26.2-15 (rpm) before *
unaffected

Default status
affected

26.2-15 (rpm) before *
unaffected

Default status
unaffected

Default status
affected

26.4.9-1 (rpm) before *
unaffected

Default status
affected

26.4-11 (rpm) before *
unaffected

Default status
affected

26.4-10 (rpm) before *
unaffected

Default status
unaffected

Timeline

2025-12-16:Reported to Red Hat.
2026-02-09:Made public.

Credits

Red Hat would like to thank Joshua Rogers for reporting this issue.

References

access.redhat.com/errata/RHSA-2026:2363 (RHSA-2026:2363) vendor-advisory

access.redhat.com/errata/RHSA-2026:2364 (RHSA-2026:2364) vendor-advisory

access.redhat.com/errata/RHSA-2026:2365 (RHSA-2026:2365) vendor-advisory

access.redhat.com/errata/RHSA-2026:2366 (RHSA-2026:2366) vendor-advisory

access.redhat.com/security/cve/CVE-2025-14778 vdb-entry

bugzilla.redhat.com/show_bug.cgi?id=2422600 (RHBZ#2422600) issue-tracking

cve.org (CVE-2025-14778)

nvd.nist.gov (CVE-2025-14778)

Download JSON