DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2025-14778: Keycloak UMA: The 'First-Item-Wins' Access Control Disaster

#security #cve #cybersecurity

Keycloak UMA: The 'First-Item-Wins' Access Control Disaster

Vulnerability ID: CVE-2025-14778
CVSS Score: 5.4
Published: 2026-02-09

A logic flaw in Keycloak's User-Managed Access (UMA) Protection API allows for horizontal privilege escalation. By exploiting how the system validates resource ownership in shared policies, an attacker can modify permissions for resources they do not own, effectively hijacking access controls for other users.

TL;DR

Keycloak checks the ID of the driver but lets the whole carload of robbers in. A flaw in UserManagedPermissionService allowed users to update multi-resource policies by only proving ownership of the first resource. This lets User A modify access rules for User B's resources.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-266
  • Attack Vector: Network (Remote)
  • CVSS Score: 5.4 (Medium)
  • Impact: Horizontal Privilege Escalation
  • Exploit Status: PoC Available (Internal/Theoretical)
  • KEV Status: Not Listed

Affected Systems

  • Red Hat build of Keycloak 26.2
  • Red Hat build of Keycloak 26.4
  • Keycloak (upstream) prior to patched releases
  • Red Hat build of Keycloak: < 26.2.13-1 (Fixed in: 26.2.13-1)
  • Red Hat build of Keycloak: < 26.4.9-1 (Fixed in: 26.4.9-1)

Code Analysis

Commit: 46154

Fix for CVE-2025-14778: prevent changing permission resources during update

if (resources.isEmpty() || (resources.size() == 1 && resources.contains(resourceId))) { ... } else { throw new ErrorResponseException(...) }
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • Internal Analysis: Exploit logic inferred from patch diff and bug report description.

Mitigation Strategies

  • Update Keycloak to the latest patched version immediately.
  • Audit existing UMA policies for multi-resource associations.
  • Review access logs for PUT requests to the /uma-policy/ endpoint affecting shared resources.

Remediation Steps:

  1. Identify the running version of Keycloak.
  2. Apply the patch corresponding to your minor version (26.2.x or 26.4.x).
  3. Restart the Keycloak service.
  4. Verify the fix by attempting to update a multi-resource policy via the API (should return 400 Bad Request).

References

Read the full report for CVE-2025-14778 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)