CVE-2025-14777
MEDIUMDescription
A flaw was found in Keycloak. An IDOR (Broken Access Control) vulnerability exists in the admin API endpoints for authorization resource management, specifically in ResourceSetService and PermissionTicketService. The system checks authorization against the resourceServer (client) ID provided in the API request, but the backend database lookup and modification operations (findById, delete) only use the resourceId. This mismatch allows an authenticated attacker with fine-grained admin permissions for one client (e.g., Client A) to delete or update resources belonging to another client (Client B) within the same realm by supplying a valid resource ID.
Is your site exposed to CVE-2025-14777?
Run a free security scan — no signup, results in seconds.
CVSS v3.1 Score
Weakness Type (CWE)
References
Frequently Asked Questions
What is CVE-2025-14777? +
How severe is CVE-2025-14777? +
How do I check if I'm vulnerable to CVE-2025-14777? +
Related Vulnerabilities
When using Apache Shiro with the shiro-guice module in a web servlet context, a specially crafted HTTP request may cause …
DataEase is an open source data visualization analysis tool. Prior to 2.10.4, there is a flaw in the authentication in …
The Elated Membership plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.2. This …
The Eventer plugin for WordPress is vulnerable to an insecure password reset mechanism in all versions up to, and including, …
Unraid 7.0.0 before 7.0.1 allows remote users to access the Unraid WebGUI and web console as root without authentication if …
The JwtAccessTokenValidator class in Apache CXF fails to validate the 'aud' (Audience) claims of incoming JWT access tokens. This allows …