Hardcoded Role Mapper Privilege Escalation in Keycloak

Executive Summary

CVE-2026-12388 is a privilege escalation vulnerability in Keycloak's Identity Provider (IdP) mapper component. It allows an administrator with limited permissions to manage identity providers to create a "Hardcoded Role" mapper that assigns high-level administrative roles, such as realm-admin, to themselves or others. This happens because the IdP mapper endpoint fails to enforce the required authorization checks, enabling the attacker to bypass security controls and gain full control over the entire realm.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to a significant security impact by allowing a delegated administrator with limited permissions to escalate their privileges to full realm administrator. This means the attacker can gain complete control over the Keycloak realm, potentially managing all users, roles, and configurations, which could lead to unauthorized access, data breaches, and disruption of services.

Useful 0 Not Useful 0

Detection Guidance

Detection of this vulnerability involves identifying if an administrator with limited permissions has created a "Hardcoded Role" mapper in the Keycloak Identity Provider (IdP) configuration that assigns high-level roles such as realm-admin.

You can inspect the Keycloak server configuration, especially the identity provider mappers, to check for any unauthorized or suspicious "Hardcoded Role" mappers.

Since the vulnerability involves the creation of a mapper that assigns elevated roles, commands or API calls to list identity providers and their mappers can help detect this.

For example, using Keycloak's Admin REST API, you can list identity providers and their mappers with commands like:

• curl -X GET -H "Authorization: Bearer <admin-token>" https://<keycloak-server>/auth/admin/realms/<realm>/identity-provider/instances
• curl -X GET -H "Authorization: Bearer <admin-token>" https://<keycloak-server>/auth/admin/realms/<realm>/identity-provider/instances/<idp-alias>/mappers

Review the output for any mappers of type "Hardcoded Role" that assign high privilege roles like realm-admin.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include restricting the manage-identity-providers permission to only fully trusted administrators, as the vulnerability can be exploited by any administrator with this permission.

Audit existing identity provider mappers for any unauthorized "Hardcoded Role" mappers that assign high-level roles and remove or correct them.

Apply any available patches or updates from Keycloak or your vendor that address this vulnerability.

Monitor administrative actions related to identity providers and mappers to detect suspicious activity.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows a restricted administrator to escalate privileges to full realm administrator by exploiting a flaw in the Identity Provider mapper component of Keycloak. Such unauthorized privilege escalation can lead to unauthorized access to sensitive user data and administrative functions.

Because of this, organizations using affected versions of Keycloak may face increased risk of data breaches or unauthorized data manipulation, which can impact compliance with standards and regulations like GDPR and HIPAA that require strict access controls and protection of personal and sensitive information.

Failure to prevent such privilege escalation could result in violations of these regulations, potentially leading to legal penalties, loss of trust, and other compliance-related consequences.

Useful 0 Not Useful 0