CVE-2026-9795
Fine-Grained Admin Permissions Privilege Escalation in Keycloak
Publication date: 2026-05-28
Last updated on: 2026-05-28
Assigner: Red Hat, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| keycloak | keycloak | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-266 | A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-9795 is a privilege escalation vulnerability in Keycloak's Fine-Grained Admin Permissions version 2 (FGAPv2). It allows an administrator who has limited client management permissions to assign any realm role, including highly privileged ones like realm-admin, to a client's scope mapping. This bypasses the intended security controls because the system does not properly enforce permission checks when modifying scope mappings.
As a result, the injected privileged role can be included in a user's authentication token when they access the affected client, enabling unauthorized privilege escalation within the Keycloak realm.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized privilege escalation within your Keycloak realm. An attacker with limited permissions on a client can escalate their privileges by injecting highly privileged roles into a client's scope mapping.
Consequently, users authenticating through the compromised client may receive tokens containing elevated roles, potentially granting them access to sensitive resources or administrative functions they should not have.
This impacts the confidentiality and integrity of your system by allowing unauthorized access and modification capabilities.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves verifying if the Keycloak realm has Fine-Grained Admin Permissions v2 (FGAPv2) enabled (adminPermissionsEnabled=true) and checking if any clients have scope mappings that include highly privileged realm roles, such as realm-admin.
Since the vulnerability allows an administrator with limited client management permissions to assign privileged roles to a client's scope mapping, you can inspect the scope mappings of clients to identify unauthorized role assignments.
Suggested commands or API calls include querying the Keycloak Admin REST API to list client scope mappings and their assigned roles, for example:
- Use the Keycloak Admin REST API endpoint GET /{realm}/clients/{id}/scope-mappings/realm to list realm roles assigned to a client's scope mapping.
- Check for presence of highly privileged roles such as 'realm-admin' in the returned scope mappings.
- Verify the realm setting 'adminPermissionsEnabled' to confirm FGAPv2 is enabled.
Monitoring authentication tokens issued through clients with suspicious scope mappings may also help detect exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting or reviewing administrator permissions to ensure that only fully trusted users have fine-grained manage permissions on clients.
Disable FGAPv2 (Fine-Grained Admin Permissions v2) if it is not required, by setting 'adminPermissionsEnabled' to false in the realm configuration.
Audit existing client scope mappings for unauthorized privileged role assignments and remove any suspicious or unintended roles.
Monitor authentication tokens for unexpected roles that could indicate exploitation.
Since no patch is currently available, these administrative controls are critical to limit the risk of privilege escalation.