CVE-2026-14209
Last modified
CVE-2026-14209 is a medium-severity vulnerability rated 4.3/10 on the CVSS scale. A vulnerability was discovered in Keycloak's Admin UI extension that allows certain administrative users to bypass security restrictions. When Fine-Grained Admin Permissions (FGAPv2) are enabled, an administrator who should only be able to search for users (but not view their full details) can use a specific "brute-force-user" endpoint to access a user's full profile. EPSS estimates a 0.18% chance of exploitation in the next 30 days.
Description
A vulnerability was discovered in Keycloak's Admin UI extension that allows certain administrative users to bypass security restrictions. When Fine-Grained Admin Permissions (FGAPv2) are enabled, an administrator who should only be able to search for users (but not view their full details) can use a specific "brute-force-user" endpoint to access a user's full profile. This includes sensitive information and security metadata. The issue occurs because the system fails to check if the administrator has the required "view" permission for that specific user when using this particular search path.
Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Redhat | Build Of Keycloak | All versions |
| Redhat | Jboss Enterprise Application Platform Expansion Pack | All versions |
References
- https://access.redhat.com/security/cve/CVE-2026-14209Vendor Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=2494837Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2026-14209?
How severe is CVE-2026-14209?
How do I fix CVE-2026-14209?
Related CVEs from 2026
- CVE-2026-14181@fastify/middie versions 9.1.0 through 9.3.2 fail to guard t…7.5
- CVE-2026-1419A weakness has been identified in D-Link DCS700l 1.03.09. Af…7.2
- CVE-2026-14191An out-of-bounds heap write exists in the RAR5 recovery-volu…7.8
- CVE-2026-14193DVP80ES300T with Improper Validation of Array Index Vulnerab…7.5
- CVE-2026-14198@fastify/middie versions 9.1.0 through 9.3.2 decode the enco…9.1
- CVE-2026-1420A flaw has been found in Tenda AC23 16.03.07.52. This impact…9.8
- CVE-2026-1421A vulnerability has been found in code-projects Online Exami…5.4
- CVE-2026-1422A vulnerability was found in code-projects Online Examinatio…9.8
- CVE-2026-1423A vulnerability was determined in code-projects Online Exami…9.8
- CVE-2026-1424A vulnerability was identified in PHPGurukul News Portal 1.0…7.2
- CVE-2026-14241Memory safety bugs present in Firefox 152.0.3. Some of these…9.8
- CVE-2026-14244The Jssor Slider by jssor.com plugin for WordPress is vulner…7.5
Are you affected by CVE-2026-14209?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST
