FGAP v2 role groups endpoint discloses hidden group metadata without group view permission
Summary
A vulnerability was discovered in Keycloak's administrative interface that allows certain administrators to see information about groups they shouldn't have access to. When the new Fine-Grained Admin Permissions (FGAP v2) are turned on, an administrator who is allowed to see a specific "role" can also see a list of all groups assigned to that role. The system fails to check if the administrator has permission to see those specific groups. This could allow a restricted administrator to discover "hidden" groups and see their details, such as internal names and custom settings, which might contain sensitive deployment information. The Red Hat Product Security team has assessed the severity of this vulnerability as Moderate. While it allows for an unauthorized disclosure of group metadata, it requires the attacker to already possess a delegated administrative role with specific view permissions. The vulnerability is a result of a missing authorization check in the RoleContainerResource component when FGAP v2 is active. Direct access to the hidden groups remains protected; the leak occurs only through the role-to-group mapping enumeration endpoint. Affected Red Hat products: Red Hat Build of Keycloak. Red Hat does not currently list a fixing RHSA for this CVE.
Mitigation
Mitigation steps weren't captured by the parser for this advisory — this is a parsing gap, not a statement that no fix exists. Read the vendor advisory below for the authoritative guidance.
Official advisory · medium-confidence parse· fetched 2 hours ago·verify at source
Discussion(0)
No comments yet. Share field notes, upgrade gotchas, or questions — verify against the vendor advisory before acting on community advice.
Sign in to join the discussion.