Fluid Attacks Database

Description

Keycloak Affected by Broken Access Control Vulnerability in the UserManagedPermissionService A flaw was found in Keycloak. A significant Broken Access Control vulnerability exists in the UserManagedPermissionService (UMA Protection API). When updating or deleting a UMA policy associated with multiple resources, the authorization check only verifies the caller's ownership against the first resource in the policy's list. This allows a user (Owner A) who owns one resource (RA) to update a shared policy and modify authorization rules for other resources (e.g., RB) in that same policy, even if those other resources are owned by a different user (Owner B). This constitutes a horizontal privilege escalation.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
maven	org.keycloak:keycloak-services	>=0 <26.2.13 \|\| >=26.5.0 <26.5.3 \|\| >=26.3.0 <26.4.9	26.2.13, 26.5.3, 26.4.9

Aliases

1. CVE-2025-147782. NVD-2025-147783. OSV-2025-147784. GCVE-2025-147785. access.redhat.com6. access.redhat.com7. access.redhat.com8. access.redhat.com9. ACCESS-CVE-2025-14778

References

1. https://github.com/keycloak/keycloak/issues/461472. https://github.com/keycloak/keycloak/pull/461543. https://bugzilla.redhat.com/show_bug.cgi?id=2422600