Hardcoded Role Mapper Privilege Escalation in Keycloak

Executive Summary

CVE-2026-4629 is a vulnerability in Keycloak where a highly privileged user with the manage-clients permission can escalate their privileges by injecting a hardcoded role mapper into any client.

This role mapper injects the realm-admin role into generated tokens, bypassing existing scope restrictions and allowing the user to gain full administrative access to the realm.

The attack involves creating a user with only the manage-clients role, adding an oidc-hardcoded-role-mapper configured to inject the realm-admin role, authenticating through that client, and then using the token with the injected role to access the admin API.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to privilege escalation, allowing a user with limited permissions to gain full administrative access to the Keycloak realm.

With full realm-admin access, the attacker can manage all aspects of the realm, potentially compromising security, user data, and system configurations.

Useful 0 Not Useful 0

Detection Guidance

Detection of this vulnerability involves identifying if any client in Keycloak has an oidc-hardcoded-role-mapper configured to inject the realm-admin role. Specifically, check for clients with the configuration {"role": "realm-management.realm-admin"}.

You can audit users with the manage-clients permission and verify if any such user has added this hardcoded role mapper to clients.

While no explicit commands are provided, you can use Keycloak's admin CLI or REST API to list clients and their protocol mappers, for example:

• Use the Keycloak Admin CLI or REST API to list clients: `kcadm.sh get clients -r <realm>`
• For each client, list protocol mappers: `kcadm.sh get clients/<client-id>/protocol-mappers/models -r <realm>`
• Look for protocol mappers of type `oidc-hardcoded-role-mapper` with the role set to `realm-management.realm-admin`.

Additionally, monitor tokens issued by clients for the presence of the realm-admin role unexpectedly, which could indicate exploitation.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include restricting the manage-clients permission to only fully trusted administrators, as this permission allows exploitation of the vulnerability.

Audit existing clients for any oidc-hardcoded-role-mapper configured to inject the realm-admin role and remove such mappers if found.

Review and tighten client protocol mapper configurations to prevent unauthorized role injections.

Monitor and revoke any tokens that may have been issued with the injected realm-admin role.

Apply any available patches or updates from Keycloak addressing this vulnerability once released.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows a user with limited permissions to escalate their privileges to full administrative access within Keycloak by injecting a hardcoded role mapper. Such unauthorized privilege escalation can lead to unauthorized access to sensitive data and administrative functions.

Because Keycloak is often used for identity and access management, exploitation of this vulnerability could result in violations of access control requirements mandated by common standards and regulations such as GDPR and HIPAA. Specifically, unauthorized administrative access could lead to improper handling or exposure of personal or protected health information, thereby impacting compliance.

Useful 0 Not Useful 0