CVE-2026-15945

Public on 2026-07-16
Modified on 2026-07-17
Description
A flaw was found in the group search functionality of the Keycloak server's administrative API. When Fine-Grained Admin Permissions (FGAP) v2 is enabled, a delegated administrator can bypass access restrictions to view parent groups they are not authorized to see. By searching for a child group they have permission to view, the system incorrectly returns the full details of the parent group in the response, leading to the disclosure of sensitive group attributes and configuration.
Severity
Medium severity
Medium
See what this means
CVSS v3 Base Score
4.3
See breakdown

Affected Packages

Platform Package Release Date Advisory Status
Amazon Linux 2 - Core keycloak-httpd-client-install Not Affected

CVSS Scores

Score Type Score Vector
Amazon Linux CVSSv3 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N