PT-2026-55090 · Maven · Org.Keycloak:Keycloak-Services

Publicado

2026-07-01

·

Atualizado

2026-07-01

CVSS v3.1

7.3

Alta

VetorAV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N

Description

A flaw was found in Keycloak's Fine-Grained Admin Permissions (FGAPv2) feature. An administrator with limited client management permissions can exploit this vulnerability to assign any realm role, including highly privileged roles, to a client's scope mapping. This bypasses intended security controls, allowing the injected role to be projected into a user's authentication token when they access the modified client. This could lead to unauthorized privilege escalation within the Keycloak realm.

Correção

Incorrect Privilege Assignment

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

Enumeração de Fraquezas

Identificadores relacionados

GHSA-32H4-44JJ-C5VX

Produtos afetados

Org.Keycloak:Keycloak-Services