2.7

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-14082

CVE-2025-14082: Keycloak Admin REST (Representational State Transfer) API does not properly enforce permissions

A flaw was found in Keycloak Admin REST (Representational State Transfer) API. This vulnerability allows information disclosure of sensitive role metadata via insufficient authorization checks on the /admin/realms/{realm}/roles endpoint.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-14082

CVE-2025-14082:

2.7

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.keycloak:keycloak-services	maven	<= 26.4.7

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is an improper access control issue in Keycloak's Admin REST API, specifically concerning the endpoint for managing roles. The root cause lies in the org.keycloak.authorization.jpa.store.JPAPolicyStore.findDependentPolicies method, which is responsible for fetching authorization policies. The pre-patch version of this method had a flaw where it would query for policies with either 'view' or 'view-members' scopes, without distinguishing between the type of resource being accessed. This meant that a user having 'view-members' permission on a group could inadvertently gain 'view' access to other resources, such as role metadata, which should have been restricted.

The patch addresses this by introducing a groupResourceType parameter to the findDependentPolicies method and its callers. This allows the method to differentiate the context of the permission check. If the check is related to groups, it looks for the 'view-members' scope; otherwise, it looks for the 'view' scope. This ensures that permissions are not incorrectly applied across different resource types.

The function org.keycloak.authorization.policy.provider.role.RolePolicyProvider.getPermissions is a key part of the call chain for this vulnerability. When a user accesses the roles endpoint, this provider is invoked to check permissions, which then calls the flawed findDependentPolicies method. Therefore, both of these functions would appear in a runtime profile during exploitation.

Vulnerable functions

org.keycloak.authorization.jpa.store.JPAPolicyStore.findDependentPolicies

model/jpa/src/main/java/org/keycloak/authorization/jpa/store/JPAPolicyStore.java

This function is responsible for finding authorization policies. Before the patch, it incorrectly fetched policies with both 'view' and 'view-members' scopes regardless of the resource type being accessed. This allowed a user with 'view-members' permission on a group to potentially view other resources like roles, leading to information disclosure. The patched version introduces a `groupResourceType` parameter to correctly select the scope based on the resource type.

org.keycloak.authorization.policy.provider.role.RolePolicyProvider.getPermissions

authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/role/RolePolicyProvider.java

This function is a runtime indicator of the vulnerability being triggered. It is responsible for getting permissions for a user on a given resource type. When a user tries to access role information, this function is called, which in turn calls the vulnerable `findDependentPolicies` method. An attacker exploiting this vulnerability would cause this function to be executed as part of the authorization check.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

2.7

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-14082: Keycloak Admin REST (Representational State Transfer) API does not properly enforce permissions

CVE-2025-14082:

2.7

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Technical Details

2.7

2.7

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Basic Information

Basic Information

CVE-2025-14082: Keycloak Admin REST (Representational State Transfer) API does not properly enforce permissions

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI