CVE-2026-11986
Awaiting Analysis Awaiting Analysis - Queue

Privilege Escalation in Keycloak Admin UI Extension

Vulnerability report for CVE-2026-11986, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-11

Last updated on: 2026-06-11

Assigner: Red Hat, Inc.

Description

A flaw was found in the admin-ui-ext component of Keycloak, which provides extended administrative user interface capabilities. The issue occurs because certain bulk role-removal endpoints fail to perform granular permission checks when deleting role mappings. This allows a delegated administrator with limited permissions to remove highly privileged roles from other users or groups, potentially disrupting administrative access control.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-11
Last Modified
2026-06-11
Generated
2026-07-02
AI Q&A
2026-06-11
EPSS Evaluated
2026-06-30
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
redhat keycloak *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-425 The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Impact Analysis

This vulnerability can impact you by allowing a delegated administrator with limited permissions to remove highly privileged roles from other users or groups. This can disrupt administrative access control within your Keycloak environment.

Such unauthorized removal of critical roles could lead to loss of control over realm management, client management, or overall administrative functions, potentially weakening your system's security posture and causing operational disruptions.

Executive Summary

This vulnerability is an authorization bypass flaw in the admin-ui-ext component of Keycloak, specifically affecting bulk role-removal endpoints. These endpoints fail to perform detailed permission checks when deleting role mappings, allowing a delegated administrator with limited permissions to remove highly privileged roles from other users or groups.

The issue arises because the vulnerable endpoints only enforce a container-level authorization check but do not enforce the required per-role authorization checks that the standard Admin REST API performs. As a result, an attacker with certain high privileges can bypass intended restrictions and remove sensitive roles such as manage-realm, manage-clients, or realm-admin from other administrators.

Compliance Impact

This vulnerability allows delegated administrators with limited permissions to remove highly privileged roles from other users or groups, potentially disrupting administrative access control.

Such disruption in access control could lead to unauthorized changes in administrative privileges, which may impact the enforcement of security policies required by standards and regulations like GDPR and HIPAA.

However, the provided information does not explicitly describe the direct impact on compliance with these standards.

Detection Guidance

This vulnerability affects the Keycloak admin-ui-ext extension, specifically the bulk role-mapping-delete endpoints: POST /admin/realms/{realm}/ui-ext/role-mapping-delete/users/{id} and POST /admin/realms/{realm}/ui-ext/role-mapping-delete/groups/{id}.

To detect exploitation attempts on your system or network, monitor for unauthorized POST requests to these endpoints that result in role removals.

  • Use network monitoring or web server logs to identify POST requests to the vulnerable endpoints.
  • Check Keycloak audit logs or administrative logs for unexpected removal of high-privilege roles such as manage-realm, manage-clients, or realm-admin.
  • Example command to search logs for suspicious POST requests (assuming logs are in /var/log/keycloak/access.log):
  • grep 'POST /admin/realms/.*/ui-ext/role-mapping-delete/users/' /var/log/keycloak/access.log
  • grep 'POST /admin/realms/.*/ui-ext/role-mapping-delete/groups/' /var/log/keycloak/access.log
Mitigation Strategies

To mitigate this vulnerability, restrict access to the vulnerable bulk role-mapping-delete endpoints in the Keycloak admin-ui-ext extension.

Ensure that only fully privileged administrators use these endpoints and avoid delegated administrators with limited permissions performing bulk role removals.

Monitor and audit role removal activities closely to detect unauthorized changes.

Apply any available patches or updates from Keycloak or your vendor that address this authorization bypass.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-11986. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart