Skip to main content

Keycloak CVE-2026-9795

| EUVDEUVD-2026-32710 HIGH
Incorrect Privilege Assignment (CWE-266)
7.3
CVSS 3.1 · Vendor: redhat
Share

Severity by source

Vendor (redhat) PRIMARY
7.3 HIGH
AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N
Red Hat
7.3 HIGH
qualitative

Primary rating from Vendor (redhat).

CVSS VectorVendor: redhat

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
High
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

1
Analysis Generated
May 28, 2026 - 05:01 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 52 maven packages depend on org.keycloak:keycloak-services (20 direct, 32 indirect)

Ecosystem-wide dependent count for version 26.6.4.

DescriptionCVE.org

A flaw was found in Keycloak's Fine-Grained Admin Permissions (FGAPv2) feature. An administrator with limited client management permissions can exploit this vulnerability to assign any realm role, including highly privileged roles, to a client's scope mapping. This bypasses intended security controls, allowing the injected role to be projected into a user's authentication token when they access the modified client. This could lead to unauthorized privilege escalation within the Keycloak realm.

AnalysisAI

Privilege escalation in Keycloak's Fine-Grained Admin Permissions v2 (FGAPv2) allows an administrator with only limited client-management rights to attach arbitrary realm roles - including highly privileged ones - to a client's scope mappings, causing those roles to be injected into user authentication tokens that traverse the modified client. The flaw affects the Red Hat Build of Keycloak per the vendor advisory and has no public exploit identified at time of analysis, but the high-privilege admin pivot makes it operationally significant in multi-tenant identity deployments.

Technical ContextAI

Keycloak is an open-source identity and access management server (commercialized as Red Hat Build of Keycloak) that issues OIDC/SAML tokens whose claims are shaped by per-client scope mappings. FGAPv2 is the second-generation fine-grained admin permissions model that lets operators delegate narrow administrative capabilities (e.g., 'manage-clients' on a single client) instead of granting realm-admin. CWE-266 (Incorrect Privilege Assignment) describes the root cause: the scope-mapping assignment endpoint validates that the caller can edit the client but does not separately verify that the caller is authorized to confer the specific realm role being attached, so the role-assignment path inherits client-scope authority and skips the role-grant authority check. When a user later authenticates through that client, the role propagates into the access token, defeating the realm's intended separation of duties.

RemediationAI

No vendor-released patch identified at time of analysis from the supplied references - monitor https://access.redhat.com/security/cve/CVE-2026-9795 and bug 2482462 for the RHSA erratum and apply the patched Red Hat Build of Keycloak release as soon as it is published. As a compensating control, audit which principals hold FGAPv2 'manage-clients' or equivalent client-scoped permissions and temporarily revoke that delegation, granting client edits only to trusted realm administrators (trade-off: loses the multi-tenant delegation benefit FGAPv2 was deployed for). Additionally, review existing client scope mappings for unexpected realm-role assignments and remove any unauthorized entries, and enable admin event logging on role and scope-mapping changes (events RESOURCE_TYPE=CLIENT_SCOPE_MAPPING) so abuse becomes detectable; this adds log volume but is the most direct detection for exploitation attempts.

CVE-2026-9800 HIGH
8.1 Jun 25

Authorization bypass in the Keycloak Policy Enforcer allows any authenticated user to circumvent all enforced access con

CVE-2026-11800 HIGH
8.1 Jun 25

Signature-verification bypass in Keycloak (and Red Hat's Keycloak-based products such as Red Hat Single Sign-On 7 and Re

CVE-2026-7504 HIGH
8.1 May 19

Open redirect in Red Hat build of Keycloak permits remote attackers to send victims to attacker-controlled hosts by abus

CVE-2026-9087 HIGH
8.1 May 20

Identity linking bypass in Red Hat build of Keycloak allows an attacker controlling a second account on the same upstrea

CVE-2026-4636 HIGH
8.1 Apr 02

Authenticated users with uma_protection role in Red Hat Keycloak can bypass User-Managed Access policy validation to gai

CVE-2026-9099 HIGH
7.7 Jun 25

Privilege escalation in Keycloak (Red Hat Build of Keycloak) lets an authenticated delegated admin with management right

CVE-2026-7307 HIGH
7.5 May 19

Denial of service in Red Hat build of Keycloak allows remote unauthenticated attackers to exhaust CPU and worker threads

CVE-2026-4634 HIGH
7.5 Apr 02

Denial of Service in Red Hat Build of Keycloak allows unauthenticated remote attackers to exhaust server resources by su

CVE-2026-7507 HIGH
7.5 May 19

Session fixation in Keycloak's login-actions endpoints allows remote attackers to hijack authenticated sessions and take

CVE-2026-4282 HIGH
7.4 Apr 02

Authorization code forgery in Red Hat Keycloak enables unauthenticated attackers to escalate privileges to admin-level a

CVE-2026-9086 HIGH
7.3 Jun 25

Stored Cross-Site Scripting in Red Hat Build of Keycloak lets an authenticated administrator with `manage-client` permis

CVE-2026-3872 HIGH
7.3 Apr 02

Open redirect in Red Hat Build of Keycloak allows authenticated attackers with control over another path on the same web

Vendor StatusVendor

Share

CVE-2026-9795 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy