VYPR
Vypr IntelligenceAI-generatedJul 3, 2026· 3 CVEs

Keycloak: Three FGAP v2 Access Control Bypass Vulnerabilities Disclosed Together

Three moderate-severity vulnerabilities in Keycloak's FGAP v2 system were disclosed together, enabling bypasses of permission filters and client scope assignments.

Key findings

  • Three moderate-severity vulnerabilities in Keycloak's FGAP v2 implementation were disclosed on July 3, 2026.
  • CVE-2026-14615 and CVE-2026-14613 allow bypassing permission filters for group metadata access.
  • CVE-2026-14614 permits bypassing client scope assignment via ClientResource.
  • All vulnerabilities were disclosed within a one-hour window, suggesting a coordinated release.

On July 3, 2026, three moderate-severity vulnerabilities were disclosed in Keycloak, an open-source identity and access management solution. The vulnerabilities, all related to the FGAP v2 (Fine-Grained Access Control) implementation, were published within a one-hour window, suggesting a coordinated disclosure. These flaws could allow unauthorized access to sensitive group metadata and bypass permission filters.

Two of the vulnerabilities, CVE-2026-14615 and CVE-2026-14613, stem from the FGAP v2 parent group children endpoint and role groups endpoint, respectively. Both endpoints bypass per-child view permission filters, potentially exposing hidden group metadata. CVE-2026-14615 specifically affects the parent group children endpoint, while CVE-2026-14613 impacts the role groups endpoint. Both were assigned a CVSSv3 score of 4.3, classifying them as moderate severity.

The third vulnerability, CVE-2026-14614, also related to FGAP v2, involves a bypass of client scope assignment via the ClientResource. This flaw carries a slightly higher CVSSv3 score of 5.4, still within the moderate severity range. It could allow unauthorized modification or assignment of client scopes.

All three vulnerabilities were disclosed on the same day, indicating a potential batch release from the vendor or a coordinated effort by security researchers. The descriptions suggest a common theme: bypassing access controls within the FGAP v2 system. While no specific threat actors or in-the-wild exploitation have been reported for this batch, such vulnerabilities in identity management systems are often targeted by attackers seeking to gain elevated privileges or access sensitive user data.

Details regarding specific affected versions or patches were not provided in the initial disclosure information. Users of Keycloak are advised to monitor official Keycloak security advisories for further information and mitigation steps. Addressing these vulnerabilities is crucial for maintaining the integrity of authentication and authorization processes managed by Keycloak.

The coordinated disclosure of these FGAP v2 related vulnerabilities highlights the importance of regularly auditing access control mechanisms. Organizations relying on Keycloak should prioritize understanding the scope of these bypasses and ensure their configurations are robust against such attacks. Further investigation into the specific impact on different Keycloak deployments is recommended.

AI-written article. Grounded in 3 CVE records listed below.