CVE-2026-14209

🗓️ 30 Jun 2026 11:48:26Reported by redhatType

Keycloak admin UI bypasses user view restrictions via brute-force-user when Fine-Grained Admin Permissions are enabled.

Reporter	Title	Published	Views	Family All 7
ATTACKERKB	CVE-2026-14209	30 Jun 202611:48	–	attackerkb
Cvelist	CVE-2026-14209 Keycloak-admin-ui: keycloak-admin-ui: keycloak: admin ui extension brute-force-user endpoint bypasses fgapv2 user view restrictions	30 Jun 202611:48	–	cvelist
EUVD	EUVD-2026-40299	30 Jun 202611:48	–	euvd
NVD	CVE-2026-14209	30 Jun 202613:17	–	nvd
Positive Technologies	PT-2026-53860	30 Jun 202600:00	–	ptsecurity
RedhatCVE	CVE-2026-14209	30 Jun 202611:48	–	redhatcve
Vulnrichment	CVE-2026-14209 Keycloak-admin-ui: keycloak-admin-ui: keycloak: admin ui extension brute-force-user endpoint bypasses fgapv2 user view restrictions	30 Jun 202611:48	–	vulnrichment

[
  {
    "vendor": "Red Hat",
    "product": "Red Hat Build of Keycloak",
    "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
    "packageName": "keycloak-admin-ui",
    "defaultStatus": "affected",
    "cpes": [
      "cpe:/a:redhat:build_keycloak:"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat Build of Keycloak",
    "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
    "packageName": "rhbk/keycloak-rhel9",
    "defaultStatus": "affected",
    "cpes": [
      "cpe:/a:redhat:build_keycloak:"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat Build of Keycloak",
    "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
    "packageName": "rhbk-openshift-rhel9/rhbk-openshift-rhel9",
    "defaultStatus": "affected",
    "cpes": [
      "cpe:/a:redhat:build_keycloak:"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat JBoss Enterprise Application Platform Expansion Pack",
    "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
    "packageName": "keycloak-admin-ui",
    "defaultStatus": "affected",
    "cpes": [
      "cpe:/a:redhat:jbosseapxp"
    ]
  }
]

Source	Link
bugzilla	www.bugzilla.redhat.com/show_bug.cgi
access	www.access.redhat.com/security/cve/CVE-2026-14209

30 Jun 2026 19:16Current

5.7Medium risk

Vulners AI Score5.7

CVSS 3.14.3

SSVC

CWE-639