CVE-2020-14366
Description
A vulnerability was found in keycloak, where path traversal using URL-encoded path segments in the request is possible because the resources endpoint applies a transformation of the url path to the file path. Only few specific folder hierarchies can be exposed by this flaw
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Keycloak's resources endpoint allows path traversal via URL-encoded path segments, exposing limited folder hierarchies.
The vulnerability resides in Keycloak's resources endpoint, which transforms URL paths to file paths. Due to insufficient sanitization, an attacker can use URL-encoded path segments (e.g., %2e%2e) to traverse directories [1][2].
Exploitation requires sending a specially crafted HTTP request to the resources endpoint. The description notes that only specific folder hierarchies can be exposed, limiting the scope of the traversal [1].
Impact: An attacker could read files from those directories, potentially exposing configuration files or other sensitive data. The exact scope depends on the deployment.
Mitigation: Red Hat has acknowledged the issue and likely provided patches in subsequent Keycloak releases. Users should update to the latest version [2].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.keycloak:keycloak-parentMaven | < 12.0.0 | 12.0.0 |
Affected products
2- Red Hat/keycloakv5Range: before (excluding) 12.0.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-cp67-8w3w-6h9cghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-14366ghsaADVISORY
- bugzilla.redhat.com/show_bug.cgighsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.