CVE-2025-14777

Description

A flaw was found in Keycloak. An IDOR (Broken Access Control) vulnerability exists in the admin API endpoints for authorization resource management, specifically in ResourceSetService and PermissionTicketService. The system checks authorization against the resourceServer (client) ID provided in the API request, but the backend database lookup and modification operations (findById, delete) only use the resourceId. This mismatch allows an authenticated attacker with fine-grained admin permissions for one client (e.g., Client A) to delete or update resources belonging to another client (Client B) within the same realm by supplying a valid resource ID.

CVSS v3.1 Score

6.0

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:L

Weakness Type (CWE)

CWE-289 CWE-289

References

Other References

https://access.redhat.com/errata/RHSA-2026:6477 https://access.redhat.com/errata/RHSA-2026:6478 https://access.redhat.com/security/cve/CVE-2025-14777 https://bugzilla.redhat.com/show_bug.cgi?id=2422596

Frequently Asked Questions

What is CVE-2025-14777? +

A flaw was found in Keycloak. An IDOR (Broken Access Control) vulnerability exists in the admin API endpoints for authorization resource management, specifically in ResourceSetService and PermissionTicketService. The system checks authorization against the resourceServer (client) ID provided in the API request, but the backend database lookup and modification operations (findById, delete) only use the resourceId. This mismatch allows an authenticated attacker with fine-grained admin permissions for one client (e.g., Client A) to delete or update resources belonging to another client (Client B) within the same realm by supplying a valid resource ID. It has a CVSS v3.1 base score of 6.0 (MEDIUM).

How severe is CVE-2025-14777? +

CVE-2025-14777 has a CVSS v3.1 score of 6.0 out of 10, rated MEDIUM. This is a medium-severity vulnerability that should be remediated as part of regular maintenance.

How do I check if I'm vulnerable to CVE-2025-14777? +

You can use Secably's free Website Scanner to check your website for known vulnerabilities. For infrastructure scanning, use the Port Scanner to identify exposed services that may be affected. Check the vendor advisories linked above for specific patch and version information.

Related Vulnerabilities

CVE-2025-13613 9.8

The Elated Membership plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.2. This …

CVE-2024-56511 9.8

DataEase is an open source data visualization analysis tool. Prior to 2.10.4, there is a flaw in the authentication in …

CVE-2025-29266 9.6

Unraid 7.0.0 before 7.0.1 allows remote users to access the Unraid WebGUI and web console as root without authentication if …

CVE-2024-55634 8.1

A vulnerability in Drupal Core allows Privilege Escalation.This issue affects Drupal Core: from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9, …

CVE-2025-64343 7.8

(conda) Constructor is a tool that enables users to create installers for conda package collections. In versions 3.12.2 and below, …

CVE-2024-51996 7.5

Symphony process is a module for the Symphony PHP framework which executes commands in sub-processes. When consuming a persisted remember-me …