Skip to main content

Red Hat Keycloak CVE-2026-11986

| EUVD-2026-36267 MEDIUM
Direct Request ('Forced Browsing') (CWE-425)
2026-06-11 redhat GHSA-6w3v-mcfh-m3q7
Information Disclosure Red Hat Build Of Keycloak Red Hat Jboss Enterprise Application Platform Expansion Pack Red Hat
4.9
CVSS 3.1 · NVD
Share

Severity by source

Vendor (redhat) PRIMARY
MEDIUM
qualitative
NVD
4.9 MEDIUM
AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
vuln.today AI
4.9 MEDIUM

Network-accessible admin-UI endpoint warrants AV:N; delegated admin credentials are required (PR:H); only role-mapping integrity is affected, so C:N and A:N but I:H.

3.1 AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
Red Hat
4.9 MEDIUM
qualitative

Primary rating from Vendor (redhat).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 11, 2026 - 18:16 vuln.today

DescriptionNVD

A flaw was found in the admin-ui-ext component of Keycloak, which provides extended administrative user interface capabilities. The issue occurs because certain bulk role-removal endpoints fail to perform granular permission checks when deleting role mappings. This allows a delegated administrator with limited permissions to remove highly privileged roles from other users or groups, potentially disrupting administrative access control.

AnalysisAI

Broken access control in the admin-ui-ext component of Red Hat Build of Keycloak permits an authenticated delegated administrator to exploit missing granular permission checks on bulk role-removal endpoints, stripping highly privileged roles from arbitrary users or groups within the Keycloak realm. Affected deployments are those using Keycloak's delegated administration model with the admin-ui-ext extension active; exploitation is bounded by the PR:H CVSS requirement, meaning an attacker must already hold delegated admin credentials. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate as delegated Keycloak admin
Delivery
Identify high-privilege target user or group in realm
Exploit
Craft bulk role-removal API request targeting privileged role mappings
Execution
Submit request directly to admin-ui-ext endpoint
Persist
Bypass missing granular permission check (CWE-425)
Impact
Privileged role stripped from target account, disrupting realm access control
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to possess valid delegated administrator credentials within the target Keycloak instance, confirmed by PR:H in the CVSS vector - unauthenticated or standard user access is insufficient. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor-supplied CVSS base score of 4.9 (Medium) is internally consistent: the PR:H metric acknowledges that exploitation is restricted to actors who already hold delegated administrator credentials, substantially narrowing the attack surface to insider threats, compromised admin accounts, or social engineering targeting sub-admins. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A delegated Keycloak administrator with a narrowly scoped realm-management role sends a crafted POST request directly to the admin-ui-ext bulk role-removal endpoint, specifying a target user who holds a realm-admin or superadmin role mapping. Because the endpoint fails to verify that the requesting delegated admin has authority over the specified roles (CWE-425), the server processes the deletion and strips the privileged role from the targeted account. …
Remediation No specific patched version was confirmed in the available intelligence data; administrators should consult the Red Hat advisory at https://access.redhat.com/security/cve/CVE-2026-11986 and monitor https://bugzilla.redhat.com/show_bug.cgi?id=2487906 for patch availability and exact fix versions. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

Share

CVE-2026-11986 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy