CVE-2026-14209
MEDIUMKeycloak-admin-ui: keycloak-admin-ui: keycloak: admin ui extension brute-force-user endpoint bypasses fgapv2 user view restrictions
Title source: cnaExploitation Summary
EIP tracks 1 public exploit for CVE-2026-14209. PoCs published by HermesNA-1.
AI-analyzed exploit summary This repository contains an auto-generated stub module for CVE-2026-14209, a security restriction bypass in Keycloak's Admin UI extension when Fine-Grained Admin Permissions (FGAPv2) are enabled. The code includes placeholder logic for connectivity checks but lacks actual exploit implementation.
Description
A vulnerability was discovered in Keycloak's Admin UI extension that allows certain administrative users to bypass security restrictions. When Fine-Grained Admin Permissions (FGAPv2) are enabled, an administrator who should only be able to search for users (but not view their full details) can use a specific "brute-force-user" endpoint to access a user's full profile. This includes sensitive information and security metadata. The issue occurs because the system fails to check if the administrator has the required "view" permission for that specific user when using this particular search path.
Exploits (1)
This repository contains an auto-generated stub module for CVE-2026-14209, a security restriction bypass in Keycloak's Admin UI extension when Fine-Grained Admin Permissions (FGAPv2) are enabled. The code includes placeholder logic for connectivity checks but lacks actual exploit implementation.
References (2)
Scores
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N