CVE-2025-14777

Name of the Vulnerable Software and Affected Versions Keycloak (affected versions not specified)

Description A broken access control issue was identified in Keycloak’s admin API endpoints related to authorization resource management, specifically within the ResourceSetService and PermissionTicketService. The system incorrectly validates authorization based on the client ID (resourceServer) provided in the API request, while database operations utilize only the resource ID (resourceId). This discrepancy enables an authenticated attacker with limited administrative privileges for one client to modify or delete resources belonging to a different client within the same realm by leveraging a valid resource ID. The affected API endpoints involve resource management.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.