Vulnerability Database / CVE-2025-14778 CVE-2025-14778: Keycloak Privilege Escalation Vulnerability CVE-2025-14778 is a privilege escalation flaw in Keycloak's UMA Protection API that enables horizontal privilege escalation through broken access control. This article covers technical details, affected versions, and mitigations. Published : February 13, 2026 CVE-2025-14778 Overview A significant Broken Access Control vulnerability has been identified in Keycloak's UserManagedPermissionService (UMA Protection API). When updating or deleting a UMA policy associated with multiple resources, the authorization check only verifies the caller's ownership against the first resource in the policy's list. This flaw enables horizontal privilege escalation, allowing one resource owner to modify authorization rules for resources owned by other users. Critical Impact An authenticated user can bypass authorization controls and modify UMA policies affecting resources they do not own, potentially compromising access controls for other users' protected resources. Affected Products Keycloak (versions with UMA Protection API implementation) Red Hat Single Sign-On (affected versions addressed in RHSA-2026:2363 through RHSA-2026:2366) Discovery Timeline 2026-02-09 - CVE-2025-14778 published to NVD 2026-02-10 - Last updated in NVD database Technical Details for CVE-2025-14778 Vulnerability Analysis This vulnerability represents a classic horizontal privilege escalation scenario within Keycloak's User-Managed Access (UMA) implementation. The core issue lies in the UserManagedPermissionService component, which handles the UMA Protection API endpoints responsible for managing resource permissions. The flaw occurs during authorization validation when a user attempts to update or delete a UMA policy that is associated with multiple resources. The authorization logic only validates ownership for the first resource in the policy's resource list, failing to iterate through and verify ownership for all associated resources. This means if User A owns Resource A and a shared policy includes both Resource A (first in the list) and Resource B (owned by User B), User A can modify the policy because the check passes for Resource A. However, these modifications will also affect Resource B's authorization rules without User B's consent or knowledge. Root Cause The root cause is classified as CWE-266 (Incorrect Privilege Assignment). The vulnerability stems from an incomplete authorization check implementation in the UMA policy management logic. Rather than validating the caller's ownership against all resources in a policy, the code only checks the first resource, creating a bypass condition when policies span multiple resources with different owners. Attack Vector The attack is network-accessible and requires low-privilege authentication. An attacker must be an authenticated Keycloak user with at least one resource under their ownership. The attack follows these steps: The attacker identifies or creates a UMA policy that includes their own resource alongside resources owned by other users When submitting an update request to modify the policy, the attacker's ownership of their resource satisfies the (flawed) authorization check The policy modification is applied to all resources in the policy, including those the attacker does not own The attacker has now modified authorization rules for other users' resources without proper authorization This vulnerability does not require user interaction and can be exploited directly through API calls to the UMA Protection API endpoints. The exploitation results in unauthorized modification of access control policies, affecting both confidentiality and integrity of the protected resources. Detection Methods for CVE-2025-14778 Indicators of Compromise Unexpected modifications to UMA policies involving multi-resource configurations Audit log entries showing policy updates where the modifying user owns only a subset of the affected resources Users reporting unauthorized access changes to their protected resources API calls to UMA Protection API endpoints with policy updates affecting resources across multiple owners Detection Strategies Monitor Keycloak audit logs for UPDATE_PERMISSION and DELETE_PERMISSION events involving policies with multiple resources Implement custom audit rules to flag policy modifications where the authenticated user does not own all resources in the policy Deploy API monitoring to detect unusual patterns in UMA Protection API usage Correlate policy change events with resource ownership records to identify potential exploitation attempts Monitoring Recommendations Enable comprehensive audit logging for all UMA Protection API operations in Keycloak Configure alerting for policy modifications involving cross-owner resource collections Regularly review UMA policy configurations to identify policies spanning multiple resource owners Implement periodic access control audits to verify policy in