Impact Analysis

This vulnerability can impact you by allowing a delegated administrator with limited permissions to remove highly privileged roles from other users or groups. This can disrupt administrative access control within your Keycloak environment.

Such unauthorized removal of critical roles could lead to loss of control over realm management, client management, or overall administrative functions, potentially weakening your system's security posture and causing operational disruptions.

Useful 0 Not Useful 0

Executive Summary

This vulnerability is an authorization bypass flaw in the admin-ui-ext component of Keycloak, specifically affecting bulk role-removal endpoints. These endpoints fail to perform detailed permission checks when deleting role mappings, allowing a delegated administrator with limited permissions to remove highly privileged roles from other users or groups.

The issue arises because the vulnerable endpoints only enforce a container-level authorization check but do not enforce the required per-role authorization checks that the standard Admin REST API performs. As a result, an attacker with certain high privileges can bypass intended restrictions and remove sensitive roles such as manage-realm, manage-clients, or realm-admin from other administrators.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability affects the Keycloak admin-ui-ext extension, specifically the bulk role-mapping-delete endpoints: POST /admin/realms/{realm}/ui-ext/role-mapping-delete/users/{id} and POST /admin/realms/{realm}/ui-ext/role-mapping-delete/groups/{id}.

To detect exploitation attempts on your system or network, monitor for unauthorized POST requests to these endpoints that result in role removals.

• Use network monitoring or web server logs to identify POST requests to the vulnerable endpoints.
• Check Keycloak audit logs or administrative logs for unexpected removal of high-privilege roles such as manage-realm, manage-clients, or realm-admin.
• Example command to search logs for suspicious POST requests (assuming logs are in /var/log/keycloak/access.log):
• grep 'POST /admin/realms/.*/ui-ext/role-mapping-delete/users/' /var/log/keycloak/access.log
• grep 'POST /admin/realms/.*/ui-ext/role-mapping-delete/groups/' /var/log/keycloak/access.log

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, restrict access to the vulnerable bulk role-mapping-delete endpoints in the Keycloak admin-ui-ext extension.

Ensure that only fully privileged administrators use these endpoints and avoid delegated administrators with limited permissions performing bulk role removals.

Monitor and audit role removal activities closely to detect unauthorized changes.

Apply any available patches or updates from Keycloak or your vendor that address this authorization bypass.

Useful 0 Not Useful 0