Keycloak-services: keycloak-services: realm default-group reads disclose hidden groups under fgap v2
Summary
A flaw was found in the default-groups REST endpoint and realm representation of Keycloak. This component is responsible for managing groups that are automatically assigned to new users within a realm. The issue allows a delegated administrator with realm-viewing permissions to see the names and identifiers of hidden default groups, even if they lack the specific permissions to view those groups. This can lead to the exposure of sensitive organizational structures or internal group names. Affected product named by the advisory: Red Hat Build of Keycloak.
What this means
In plain English
A flaw was found in the default-groups REST endpoint and realm representation of Keycloak. This component is responsible for managing groups that are automatically assigned to new users within a realm. The issue allows a delegated administrator with realm-viewing permissions to see the names and identifiers of hidden default groups, even if they lack the specific permissions to view those groups. This can lead to the exposure of sensitive organizational structures or internal group names. Affected product named by the advisory: Red Hat Build of Keycloak.
Recommended action
The parsed official advisory does not currently specify a fixed release, mitigation, or workaround. Review the linked vendor advisory for the latest guidance before making changes.
Rewritten locally from the scraped official advisory data above; no generative API is used. The vendor advisory is authoritative.
Affected versions
No affected-version range was extracted from the source record. The vendor advisory is authoritative — check it before change work.
Official advisory · medium-confidence parse· fetched 2 hours ago·verify at source
Fixed versions
No fixed release is recorded yet. That does not prove no patch exists — confirm against the vendor advisory.
Official advisory · medium-confidence parse· fetched 2 hours ago·verify at source
Mitigation
The source record does not include mitigation steps. That is not a statement that no fix exists — read the vendor advisory below for the authoritative guidance.
Official advisory · medium-confidence parse· fetched 2 hours ago·verify at source
Discussion(0)
No comments yet. Share field notes, upgrade gotchas, or questions — verify against the vendor advisory before acting on community advice.
Sign in to join the discussion.