keycloak-services is vulnerable to Privilege Escalation
77
High Risk
The GroupResource.addChild endpoint in the Admin REST API is missing an authorization check when reparenting groups. With Fine-Grained Admin Permissions v2 enabled, a user who manages a single low-privilege group can move a highly privileged group underneath it. Because group permissions are inherited hierarchically, this grants management and password-reset rights over the privileged group's members and can lead to full realm takeover. The fix enforces authorization on the reparent operation.
You are affected if you are using a version that falls within the vulnerable range and Fine-Grained Admin Permissions v2 is enabled.
keycloak-services is vulnerable to Privilege Escalation in versions 1.0.1.Final - 26.6.3.
Upgrade the org.keycloak:keycloak-services library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant