Publish GHSA-fm6w-rrp3-2x4w

advisory-database[bot] · advisory-database[bot] · commit b6e6397dd823 · 2026-02-10T16:55:08.000Z
diff --git a/advisories/github-reviewed/2026/02/GHSA-fm6w-rrp3-2x4w/GHSA-fm6w-rrp3-2x4w.json b/advisories/github-reviewed/2026/02/GHSA-fm6w-rrp3-2x4w/GHSA-fm6w-rrp3-2x4w.json
@@ -1,24 +1,53 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-fm6w-rrp3-2x4w",
-  "modified": "2026-02-10T03:30:27Z",
+  "modified": "2026-02-10T16:53:14Z",
   "published": "2026-02-09T21:31:03Z",
   "aliases": [
     "CVE-2025-14778"
   ],
+  "summary": "Keycloak Affected by Broken Access Control Vulnerability in the UserManagedPermissionService",
   "details": "A flaw was found in Keycloak. A significant Broken Access Control vulnerability exists in the UserManagedPermissionService (UMA Protection API). When updating or deleting a UMA policy associated with multiple resources, the authorization check only verifies the caller's ownership against the first resource in the policy's list. This allows a user (Owner A) who owns one resource (RA) to update a shared policy and modify authorization rules for other resources (e.g., RB) in that same policy, even if those other resources are owned by a different user (Owner B). This constitutes a horizontal privilege escalation.",
   "severity": [
     {
       "type": "CVSS_V3",
       "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"
     }
   ],
-  "affected": [],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "org.keycloak:keycloak-services"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "26.5.3"
+            }
+          ]
+        }
+      ]
+    }
+  ],
   "references": [
     {
       "type": "ADVISORY",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14778"
     },
+    {
+      "type": "WEB",
+      "url": "https://github.com/keycloak/keycloak/issues/46147"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/keycloak/keycloak/pull/46154"
+    },
     {
       "type": "WEB",
       "url": "https://access.redhat.com/errata/RHSA-2026:2363"
@@ -42,15 +71,19 @@
     {
       "type": "WEB",
       "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2422600"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/keycloak/keycloak"
     }
   ],
   "database_specific": {
     "cwe_ids": [
       "CWE-266"
     ],
     "severity": "MODERATE",
-    "github_reviewed": false,
-    "github_reviewed_at": null,
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-02-10T16:53:14Z",
     "nvd_published_at": "2026-02-09T20:15:54Z"
   }
 }
