PT-2026-55090 · Maven · Org.Keycloak:Keycloak-Services

Published

2026-07-01

·

Updated

2026-07-01

CVSS v3.1

7.3

High

VectorAV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N

Description

A flaw was found in Keycloak's Fine-Grained Admin Permissions (FGAPv2) feature. An administrator with limited client management permissions can exploit this vulnerability to assign any realm role, including highly privileged roles, to a client's scope mapping. This bypasses intended security controls, allowing the injected role to be projected into a user's authentication token when they access the modified client. This could lead to unauthorized privilege escalation within the Keycloak realm.

Fix

Incorrect Privilege Assignment

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

GHSA-32H4-44JJ-C5VX

Affected Products

Org.Keycloak:Keycloak-Services