Detection Guidance

Detection of this vulnerability involves verifying if the Keycloak realm has Fine-Grained Admin Permissions v2 (FGAPv2) enabled (adminPermissionsEnabled=true) and checking if any clients have scope mappings that include highly privileged realm roles, such as realm-admin.

Since the vulnerability allows an administrator with limited client management permissions to assign privileged roles to a client's scope mapping, you can inspect the scope mappings of clients to identify unauthorized role assignments.

Suggested commands or API calls include querying the Keycloak Admin REST API to list client scope mappings and their assigned roles, for example:

• Use the Keycloak Admin REST API endpoint GET /{realm}/clients/{id}/scope-mappings/realm to list realm roles assigned to a client's scope mapping.
• Check for presence of highly privileged roles such as 'realm-admin' in the returned scope mappings.
• Verify the realm setting 'adminPermissionsEnabled' to confirm FGAPv2 is enabled.

Monitoring authentication tokens issued through clients with suspicious scope mappings may also help detect exploitation attempts.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include restricting or reviewing administrator permissions to ensure that only fully trusted users have fine-grained manage permissions on clients.

Disable FGAPv2 (Fine-Grained Admin Permissions v2) if it is not required, by setting 'adminPermissionsEnabled' to false in the realm configuration.

Audit existing client scope mappings for unauthorized privileged role assignments and remove any suspicious or unintended roles.

Monitor authentication tokens for unexpected roles that could indicate exploitation.

Since no patch is currently available, these administrative controls are critical to limit the risk of privilege escalation.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows unauthorized privilege escalation within the Keycloak realm by enabling an attacker with limited client management permissions to assign highly privileged roles to a client's scope mapping. This bypass of intended security controls can lead to unauthorized access to sensitive data or administrative functions.

Such unauthorized privilege escalation and potential exposure of sensitive information can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require strict access controls and protection of personal and sensitive data.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-9795 is a privilege escalation vulnerability in Keycloak's Fine-Grained Admin Permissions version 2 (FGAPv2). It allows an administrator who has limited client management permissions to assign any realm role, including highly privileged ones like realm-admin, to a client's scope mapping. This bypasses the intended security controls because the system does not properly enforce permission checks when modifying scope mappings.

As a result, the injected privileged role can be included in a user's authentication token when they access the affected client, enabling unauthorized privilege escalation within the Keycloak realm.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to unauthorized privilege escalation within your Keycloak realm. An attacker with limited permissions on a client can escalate their privileges by injecting highly privileged roles into a client's scope mapping.

Consequently, users authenticating through the compromised client may receive tokens containing elevated roles, potentially granting them access to sensitive resources or administrative functions they should not have.

This impacts the confidentiality and integrity of your system by allowing unauthorized access and modification capabilities.

Useful 0 Not Useful 0