5 matches found
CVE-2026-16106
CVE-2026-16106 refers to Keycloak, specifically the admin REST API. The issue arises when a delegated administrator attempts to remove a child role from a composite role, bypassing authorization checks. This can allow a user with limited admin permissions to remove privileged roles they are not a...
CVE-2026-15945
A flaw was found in the group search functionality of the Keycloak server's administrative API. When Fine-Grained Admin Permissions FGAP v2 is enabled, a delegated administrator can bypass access restrictions to view parent groups they are not authorized to see. By searching for a child group the...
CVE-2025-13881
A flaw was found in Keycloak Admin API. This vulnerability allows an administrator with limited privileges to retrieve sensitive custom attributes via the /unmanagedAttributes endpoint, bypassing User Profile visibility settings...
PT-2026-5499
Name of the Vulnerable Software and Affected Versions Keycloak affected versions not specified Description A flaw exists in the Keycloak Admin API that allows an administrator with limited privileges to retrieve sensitive custom attributes. This is achieved through the /unmanagedAttributes API...
CVE-2025-14083
A flaw was found in the Keycloak Admin REST API. This vulnerability allows the exposure of backend schema and rules, potentially leading to targeted attacks or privilege escalation via improper access control...