CVE-2026-16106
Received Received - Intake

Privileged Role Removal in Keycloak via Missing Authorization

Vulnerability report for CVE-2026-16106, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-17

Last updated on: 2026-07-17

Assigner: Red Hat, Inc.

Description

A flaw was found in the admin REST API of Keycloak, a solution for identity and access management. The issue occurs when a delegated administrator attempts to remove a child role from a composite role. Due to missing authorization checks, an attacker with limited administrative permissions can remove privileged roles they are not authorized to manage, leading to a loss of access for other users and administrators.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-17
Last Modified
2026-07-17
Generated
2026-07-17
AI Q&A
2026-07-17
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
redhat keycloak *
keycloak keycloak *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is in Keycloak's admin REST API. It allows delegated administrators with limited permissions to remove privileged child roles from composite roles without proper authorization checks. The issue specifically affects DELETE endpoints for role composites, which do not enforce per-child role checks unlike the add operation.

Detection Guidance

Check Keycloak server logs for unauthorized DELETE requests to role composite endpoints. Look for requests targeting privileged roles like realm-admin. Verify if delegated administrators are performing role removal operations outside expected workflows.

Impact Analysis

An attacker with a delegated admin account could remove high-privilege roles like realm-admin from composite roles. This would strip those roles from assigned users or groups, degrading administrative privileges or disrupting realm functionality. No user interaction is required for exploitation.

Compliance Impact

This vulnerability could impact compliance with GDPR and HIPAA by enabling unauthorized privilege removal. Attackers with delegated admin access could strip high-privilege roles like realm-admin, leading to unauthorized access or denial of critical functions. This may violate access control requirements in GDPR (Article 32) and HIPAA (45 CFR Β§ 164.308(a)(4)).

Mitigation Strategies

Apply the latest Keycloak security patch immediately. Review delegated administrator permissions and restrict manage permissions on parent role containers. Monitor role composite changes and audit privileged role modifications.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-16106. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart