CVE-2025-14778

Name of the Vulnerable Software and Affected Versions Keycloak (affected versions not specified)

Description A Broken Access Control issue exists in the UserManagedPermissionService (UMA Protection API). When updating or deleting a UMA policy linked to multiple resources, the authorization check only confirms the caller’s ownership of the initial resource within the policy. This enables a user who owns one resource to modify authorization rules for other resources within the same policy, even if those resources are owned by a different user. This results in a horizontal privilege escalation. The affected API endpoint is related to UMA Protection. The vulnerable operation involves updating or deleting a UMA policy. The issue stems from insufficient authorization checks within the UserManagedPermissionService when handling policies associated with multiple resources.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.