PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-15945 Red Hat CVE debrief

A flaw was found in the group search functionality of the Keycloak server's administrative API. When Fine-Grained Admin Permissions (FGAP) v2 is enabled, a delegated administrator can bypass access restrictions to view parent groups they are not authorized to see. This vulnerability leads to the disclosure of sensitive group attributes and configuration. The issue arises when a delegated administrator searches for a child group they have permission to view, and the system incorrectly returns the full details of the parent group in the response.

Vendor
Red Hat
Product
Red Hat Build of Keycloak
CVSS
MEDIUM 4.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-16
Original CVE updated
2026-07-16
Advisory published
2026-07-16
Advisory updated
2026-07-16

Who should care

Administrators and security teams using Keycloak with Fine-Grained Admin Permissions (FGAP) v2 enabled should verify their configurations and ensure proper access controls are in place. They should also monitor and audit administrative API usage to detect potential unauthorized access.

Technical summary

The vulnerability allows a delegated administrator to view parent groups they are not authorized to see by searching for a child group they have permission to view. This leads to the disclosure of sensitive group attributes and configuration. The issue is related to the Fine-Grained Admin Permissions (FGAP) v2 feature in Keycloak's administrative API. The API does not properly enforce access restrictions, allowing unauthorized access to parent groups.

Defensive priority

Medium priority due to the potential for sensitive information disclosure. Organizations should prioritize patching or mitigating this vulnerability to prevent unauthorized access to sensitive group attributes and configuration.

Recommended defensive actions

  • Verify and restrict access to the Keycloak administrative API.
  • Ensure Fine-Grained Admin Permissions (FGAP) v2 is properly configured.
  • Monitor and audit administrative API usage.
  • Apply vendor patches or updates when available.
  • Review compensating controls for exposed systems while remediation is scheduled and verified.
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review.
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented.

Evidence notes

The CVE record was published on 2026-07-16T18:16:42.693Z and has not been modified since then. The NVD entry is currently in the 'Received' status. This information is based on the supplied source corpus and may not reflect the current status of the vulnerability. Defenders should verify the information with the official CVE record and NVD entry for the most up-to-date details. The group search functionality flaw in Keycloak's administrative API allows unauthorized access to parent groups, potentially disclosing sensitive information.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-16T18:16:42.693Z and has not been modified since then. The NVD entry is currently in the 'Received' status.