CVE-2025-14082: Keycloak Admin REST (Representational State Transfer) API does not properly enforce permissions
(updated )
A flaw was found in Keycloak Admin REST (Representational State Transfer) API. This vulnerability allows information disclosure of sensitive role metadata via insufficient authorization checks on the /admin/realms/{realm}/roles endpoint.
References
- access.redhat.com/errata/RHSA-2026:6477
- access.redhat.com/errata/RHSA-2026:6478
- access.redhat.com/security/cve/CVE-2025-14082
- bugzilla.redhat.com/show_bug.cgi?id=2419078
- github.com/advisories/GHSA-6q37-7866-h27j
- github.com/keycloak/keycloak
- github.com/keycloak/keycloak/commit/89a8cddfd669178565ae50989c49216a945d1371
- nvd.nist.gov/vuln/detail/CVE-2025-14082
Code Behaviors & Features
Detect and mitigate CVE-2025-14082 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →