Skip to main content

Keycloak CVE-2025-7784

MEDIUM
Improper Privilege Management (CWE-269)
2025-07-18 secalert@redhat.com
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
Red Hat
6.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

1
Analysis Generated
May 06, 2026 - 17:30 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 36 maven packages depend on org.keycloak:keycloak-services (16 direct, 20 indirect)

Ecosystem-wide dependent count for version 26.2.0.

DescriptionCVE.org

A flaw was found in the Keycloak identity and access management system when Fine-Grained Admin Permissions(FGAPv2) are enabled. An administrative user with the manage-users role can escalate their privileges to realm-admin due to improper privilege enforcement. This vulnerability allows unauthorized elevation of access rights, compromising the intended separation of administrative duties and posing a security risk to the realm.

AnalysisAI

Privilege escalation in Keycloak's Fine-Grained Admin Permissions v2 (FGAPv2) allows administrative users with the manage-users role to escalate privileges to realm-admin through improper privilege enforcement. When FGAPv2 is enabled, this vulnerability enables unauthorized elevation of administrative access rights, compromising the separation of administrative duties. No public exploit code or active exploitation has been identified at the time of analysis.

Technical ContextAI

Keycloak is an open-source identity and access management (IAM) system providing authentication, authorization, and user management capabilities. Fine-Grained Admin Permissions v2 (FGAPv2) is an advanced authorization feature designed to enforce granular role-based access control (RBAC) for administrative operations. The vulnerability stems from CWE-269 (Improper Access Control) in the authorization enforcement logic of FGAPv2. Specifically, the manage-users administrative role does not properly validate permission boundaries when escalating to realm-admin privileges, allowing cross-role privilege elevation. This affects Red Hat's build of Keycloak (CPE: cpe:2.3:a:redhat:build_of_keycloak:-:*:*:*:-:*:*:*), indicating the issue exists in the distribution maintained by Red Hat.

RemediationAI

Apply security updates from Red Hat via RHSA-2025:12015 or RHSA-2025:12016 (https://access.redhat.com/errata/RHSA-2025:12015, https://access.redhat.com/errata/RHSA-2025:12016). The exact patched version number is not provided in available data; consult the Red Hat advisories for the specific version to upgrade to. As an interim compensating control, disable Fine-Grained Admin Permissions v2 (FGAPv2) if not operationally required-this eliminates the vulnerability entirely while maintaining standard Keycloak RBAC. If FGAPv2 must remain enabled, restrict the assignment of manage-users role only to fully trusted administrators and enforce strong authentication (MFA) for all administrative accounts. Monitor administrative privilege escalation attempts by auditing role assignment and realm-admin privilege grants. Note that disabling FGAPv2 may reduce authorization granularity, requiring workflow re-evaluation; patch application is the preferred remediation path.

CVE-2024-8883 MEDIUM POC
6.1 Sep 19

A misconfiguration flaw was found in Keycloak. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploita

CVE-2026-3047 HIGH
8.8 Mar 05

Keycloak's SAML identity provider broker fails to enforce client disabled status during IdP-initiated SSO flows, allowin

CVE-2026-9704 HIGH
8.8 May 27

Privilege escalation in Red Hat Build of Keycloak allows low-privileged authenticated users to assume the permissions of

CVE-2026-3009 HIGH
8.1 Mar 05

Keycloak's IdentityBrokerService.performLogin endpoint fails to enforce disabled Identity Provider restrictions, allowin

CVE-2024-1132 HIGH
8.1 Apr 17

A flaw was found in Keycloak, where it does not properly validate URLs included in a redirect. Rated high severity (CVSS

CVE-2024-7885 HIGH
7.5 Aug 21

A vulnerability was found in Undertow where the ProxyProtocolReadListener reuses the same StringBuilder instance across

CVE-2024-10234 HIGH
7.3 Oct 22

A vulnerability was found in Wildfly, where a user may perform Cross-site scripting in the Wildfly deployment system. Ra

CVE-2026-37980 MEDIUM
6.9 Apr 14

Stored XSS in Keycloak's organization selection login page allows authenticated administrators with manage-realm or mana

CVE-2026-9802 MEDIUM
6.8 May 28

Refresh token replay in Keycloak allows a remote attacker who has previously captured a user's refresh token to reuse th

CVE-2024-4629 MEDIUM
6.5 Sep 03

A vulnerability was found in Keycloak. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no

CVE-2024-7260 MEDIUM
6.1 Sep 09

An open redirect vulnerability was found in Keycloak. Rated medium severity (CVSS 6.1), this vulnerability is remotely e

CVE-2025-3910 MEDIUM
5.4 Apr 29

A flaw was found in Keycloak. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentic

Vendor StatusVendor

Share

CVE-2025-7784 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy