PT-2026-55152 · Maven · Org.Keycloak:Keycloak-Services

Publicado

2026-05-28

·

Atualizado

2026-05-28

CVSS v3.1

6.5

Média

VetorAV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
A flaw was found in Keycloak. An authenticated administrator with the manage-clients role can exploit a Time-of-check to time-of-use (TOCTOU) vulnerability in the name-based admin role checks. This allows the attacker to escalate their privileges to realm-admin for all users within the realm, granting them extensive control over the system. The composite role relationship persists even after the attacker's own permissions are revoked and across system reboots.

Correção

Time Of Check To Time Of Use

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

Enumeração de Fraquezas

Identificadores relacionados

GHSA-PQ65-77RC-7R8C

Produtos afetados

Org.Keycloak:Keycloak-Services