logo

Database

Excessive privileges In org.keycloak:keycloak-services

Description

Duplicate Advisory: Keycloak Privilege Escalation Vulnerability in Admin Console (FGAPv2 Enabled)

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-27gp-8389-hm4w. This link is maintained to preserve external references.

Original Description

A flaw was found in the Keycloak identity and access management system when Fine-Grained Admin Permissions (FGAPv2) are enabled. An administrative user with the manage-users role can escalate their privileges to realm-admin due to improper privilege enforcement. This vulnerability allows unauthorized elevation of access rights, compromising the intended separation of administrative duties and posing a security risk to the realm.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version

Aliases

1. NVD-2025-77842. GCVE-GHSA-83j7-mhw9-388w3. access.redhat.com4. access.redhat.com5. ACCESS-CVE-2025-7784

References

1. https://github.com/keycloak/keycloak/issues/411372. https://github.com/keycloak/keycloak/pull/411683. https://bugzilla.redhat.com/show_bug.cgi?id=2381861

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.