Vulnerability Description
A flaw was found in Keycloak. An IDOR (Broken Access Control) vulnerability exists in the admin API endpoints for authorization resource management, specifically in ResourceSetService and PermissionTicketService. The system checks authorization against the resourceServer (client) ID provided in the API request, but the backend database lookup and modification operations (findById, delete) only use the resourceId. This mismatch allows an authenticated attacker with fine-grained admin permissions for one client (e.g., Client A) to delete or update resources belonging to another client (Client B) within the same realm by supplying a valid resource ID.
CVSS Score
MEDIUM
Related Weaknesses (CWE)
References
- https://access.redhat.com/errata/RHSA-2026:6477
- https://access.redhat.com/errata/RHSA-2026:6478
- https://access.redhat.com/security/cve/CVE-2025-14777
- https://bugzilla.redhat.com/show_bug.cgi?id=2422596
FAQ
What is CVE-2025-14777?
CVE-2025-14777 is a vulnerability with a CVSS score of 6.0 (MEDIUM). A flaw was found in Keycloak. An IDOR (Broken Access Control) vulnerability exists in the admin API endpoints for authorization resource management, specifically in ResourceSetService and PermissionTi...
How severe is CVE-2025-14777?
CVE-2025-14777 has been rated MEDIUM with a CVSS base score of 6.0/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-14777?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.