Red Hat Jboss Enterprise Application Platform Expansion Pack
Monthly
Broken access control in the admin-ui-ext component of Red Hat Build of Keycloak permits an authenticated delegated administrator to exploit missing granular permission checks on bulk role-removal endpoints, stripping highly privileged roles from arbitrary users or groups within the Keycloak realm. Affected deployments are those using Keycloak's delegated administration model with the admin-ui-ext extension active; exploitation is bounded by the PR:H CVSS requirement, meaning an attacker must already hold delegated admin credentials. No public exploit has been identified and the vulnerability is not listed in CISA KEV, placing real-world risk in the moderate range with highest relevance to environments with partially trusted delegated administrators.
{realm}/partialImport endpoint to bypass Fine-Grained Admin Permissions (FGAP) and promote themselves to full realm administrator. The flaw is an improper authorization check (CWE-863) on imported users carrying realm-admin role mappings. No public exploit identified at time of analysis, and the issue is not on CISA KEV.
Remote code execution in Red Hat Apache Camel Infinispan component allows low-privileged attackers to execute arbitrary code via unsafe deserialization in ProtoStream remote aggregation repository. Exploiting this vulnerability requires network access and low-privilege credentials but grants full system compromise affecting confidentiality, integrity, and availability. The attack complexity is rated high (AC:H), suggesting specific configuration or timing requirements. No active exploitation confirmed at time of analysis (not in CISA KEV), and public exploit code status is unknown.
HTTP request smuggling in Undertow (the embedded web server underpinning JBoss EAP, Red Hat Data Grid, and Apache Camel for Spring Boot) allows remote unauthenticated attackers to bypass front-end security controls by prepending whitespace to header lines. Undertow strips leading spaces from the first header line in violation of RFC 7230, creating a parser discrepancy between upstream proxies and the application server. No public exploit identified at time of analysis, and EPSS sits at 0.13% (32nd percentile), but the CVSS 9.1 and broad Red Hat middleware exposure make this a high-value target for chained attacks.
HTTP request smuggling in Red Hat Undertow allows remote unauthenticated attackers to bypass front-end security controls by exploiting parsing discrepancies between Undertow and upstream proxies when handling crafted header names. The flaw (CWE-444) affects Undertow embedded in multiple Red Hat products including JBoss EAP 7/8, Data Grid 8, Fuse 7, and Apache Camel for Spring Boot 4, with Red Hat issuing patches via RHSA-2026:25125 and RHSA-2026:25126. There is no public exploit identified at time of analysis and EPSS is low (0.10%), but CVSS 9.1 and SSVC 'total' technical impact warrant prompt patching of internet-facing deployments.
Keycloak allows authenticated administrators with manage-clients permission to escalate privileges to manage-permissions level, enabling unauthorized control over roles, users, and administrative functions within a realm. Red Hat Build of Keycloak, JBoss Enterprise Application Platform 8, and Red Hat Single Sign-On 7 are affected when admin permissions are enabled at the realm level. The vulnerability requires high-privilege authentication but carries medium CVSS severity (6.5) due to confidentiality and integrity impact without availability compromise.
A SSRF vulnerability in A flaw (CVSS 3.1) that allows the attacker. Remediation should follow standard vulnerability management procedures.
A remote code execution vulnerability in A flaw (CVSS 5.8) that allows an attacker. Remediation should follow standard vulnerability management procedures.
Broken access control in the admin-ui-ext component of Red Hat Build of Keycloak permits an authenticated delegated administrator to exploit missing granular permission checks on bulk role-removal endpoints, stripping highly privileged roles from arbitrary users or groups within the Keycloak realm. Affected deployments are those using Keycloak's delegated administration model with the admin-ui-ext extension active; exploitation is bounded by the PR:H CVSS requirement, meaning an attacker must already hold delegated admin credentials. No public exploit has been identified and the vulnerability is not listed in CISA KEV, placing real-world risk in the moderate range with highest relevance to environments with partially trusted delegated administrators.
{realm}/partialImport endpoint to bypass Fine-Grained Admin Permissions (FGAP) and promote themselves to full realm administrator. The flaw is an improper authorization check (CWE-863) on imported users carrying realm-admin role mappings. No public exploit identified at time of analysis, and the issue is not on CISA KEV.
Remote code execution in Red Hat Apache Camel Infinispan component allows low-privileged attackers to execute arbitrary code via unsafe deserialization in ProtoStream remote aggregation repository. Exploiting this vulnerability requires network access and low-privilege credentials but grants full system compromise affecting confidentiality, integrity, and availability. The attack complexity is rated high (AC:H), suggesting specific configuration or timing requirements. No active exploitation confirmed at time of analysis (not in CISA KEV), and public exploit code status is unknown.
HTTP request smuggling in Undertow (the embedded web server underpinning JBoss EAP, Red Hat Data Grid, and Apache Camel for Spring Boot) allows remote unauthenticated attackers to bypass front-end security controls by prepending whitespace to header lines. Undertow strips leading spaces from the first header line in violation of RFC 7230, creating a parser discrepancy between upstream proxies and the application server. No public exploit identified at time of analysis, and EPSS sits at 0.13% (32nd percentile), but the CVSS 9.1 and broad Red Hat middleware exposure make this a high-value target for chained attacks.
HTTP request smuggling in Red Hat Undertow allows remote unauthenticated attackers to bypass front-end security controls by exploiting parsing discrepancies between Undertow and upstream proxies when handling crafted header names. The flaw (CWE-444) affects Undertow embedded in multiple Red Hat products including JBoss EAP 7/8, Data Grid 8, Fuse 7, and Apache Camel for Spring Boot 4, with Red Hat issuing patches via RHSA-2026:25125 and RHSA-2026:25126. There is no public exploit identified at time of analysis and EPSS is low (0.10%), but CVSS 9.1 and SSVC 'total' technical impact warrant prompt patching of internet-facing deployments.
Keycloak allows authenticated administrators with manage-clients permission to escalate privileges to manage-permissions level, enabling unauthorized control over roles, users, and administrative functions within a realm. Red Hat Build of Keycloak, JBoss Enterprise Application Platform 8, and Red Hat Single Sign-On 7 are affected when admin permissions are enabled at the realm level. The vulnerability requires high-privilege authentication but carries medium CVSS severity (6.5) due to confidentiality and integrity impact without availability compromise.
A SSRF vulnerability in A flaw (CVSS 3.1) that allows the attacker. Remediation should follow standard vulnerability management procedures.
A remote code execution vulnerability in A flaw (CVSS 5.8) that allows an attacker. Remediation should follow standard vulnerability management procedures.