PT-2026-44186 · Red Hat · Keycloak

Andrej Tomci

·

Published

2026-05-28

·

Updated

2026-07-02

·

CVE-2026-9795

CVSS v3.1

7.3

High

VectorAV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N
Name of the Vulnerable Software and Affected Versions Keycloak (affected versions not specified)
Description A flaw exists in the Fine-Grained Admin Permissions (FGAPv2) feature. An administrator with limited client management permissions can assign any realm role, including highly privileged ones, to a client's scope mapping. This bypasses security controls, allowing the injected role to be included in a user's authentication token upon accessing the modified client, which can result in unauthorized privilege escalation within the realm.
Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

LPE

Incorrect Privilege Assignment

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-9795
GHSA-32H4-44JJ-C5VX
GHSA-8HCX-P7M8-GC28

Affected Products

Keycloak