Severity by source
AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N
Primary rating from Vendor (redhat).
CVSS VectorVendor: redhat
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N
Lifecycle Timeline
1Blast Radius
ecosystem impact- 52 maven packages depend on org.keycloak:keycloak-services (20 direct, 32 indirect)
Ecosystem-wide dependent count for version 26.6.4.
DescriptionCVE.org
A flaw was found in Keycloak's Fine-Grained Admin Permissions (FGAPv2) feature. An administrator with limited client management permissions can exploit this vulnerability to assign any realm role, including highly privileged roles, to a client's scope mapping. This bypasses intended security controls, allowing the injected role to be projected into a user's authentication token when they access the modified client. This could lead to unauthorized privilege escalation within the Keycloak realm.
AnalysisAI
Privilege escalation in Keycloak's Fine-Grained Admin Permissions v2 (FGAPv2) allows an administrator with only limited client-management rights to attach arbitrary realm roles - including highly privileged ones - to a client's scope mappings, causing those roles to be injected into user authentication tokens that traverse the modified client. The flaw affects the Red Hat Build of Keycloak per the vendor advisory and has no public exploit identified at time of analysis, but the high-privilege admin pivot makes it operationally significant in multi-tenant identity deployments.
Technical ContextAI
Keycloak is an open-source identity and access management server (commercialized as Red Hat Build of Keycloak) that issues OIDC/SAML tokens whose claims are shaped by per-client scope mappings. FGAPv2 is the second-generation fine-grained admin permissions model that lets operators delegate narrow administrative capabilities (e.g., 'manage-clients' on a single client) instead of granting realm-admin. CWE-266 (Incorrect Privilege Assignment) describes the root cause: the scope-mapping assignment endpoint validates that the caller can edit the client but does not separately verify that the caller is authorized to confer the specific realm role being attached, so the role-assignment path inherits client-scope authority and skips the role-grant authority check. When a user later authenticates through that client, the role propagates into the access token, defeating the realm's intended separation of duties.
RemediationAI
No vendor-released patch identified at time of analysis from the supplied references - monitor https://access.redhat.com/security/cve/CVE-2026-9795 and bug 2482462 for the RHSA erratum and apply the patched Red Hat Build of Keycloak release as soon as it is published. As a compensating control, audit which principals hold FGAPv2 'manage-clients' or equivalent client-scoped permissions and temporarily revoke that delegation, granting client edits only to trusted realm administrators (trade-off: loses the multi-tenant delegation benefit FGAPv2 was deployed for). Additionally, review existing client scope mappings for unexpected realm-role assignments and remove any unauthorized entries, and enable admin event logging on role and scope-mapping changes (events RESOURCE_TYPE=CLIENT_SCOPE_MAPPING) so abuse becomes detectable; this adds log volume but is the most direct detection for exploitation attempts.
More in Red Hat Build Of Keycloak
View allAuthorization bypass in the Keycloak Policy Enforcer allows any authenticated user to circumvent all enforced access con
Signature-verification bypass in Keycloak (and Red Hat's Keycloak-based products such as Red Hat Single Sign-On 7 and Re
Open redirect in Red Hat build of Keycloak permits remote attackers to send victims to attacker-controlled hosts by abus
Identity linking bypass in Red Hat build of Keycloak allows an attacker controlling a second account on the same upstrea
Authenticated users with uma_protection role in Red Hat Keycloak can bypass User-Managed Access policy validation to gai
Privilege escalation in Keycloak (Red Hat Build of Keycloak) lets an authenticated delegated admin with management right
Denial of service in Red Hat build of Keycloak allows remote unauthenticated attackers to exhaust CPU and worker threads
Denial of Service in Red Hat Build of Keycloak allows unauthenticated remote attackers to exhaust server resources by su
Session fixation in Keycloak's login-actions endpoints allows remote attackers to hijack authenticated sessions and take
Authorization code forgery in Red Hat Keycloak enables unauthenticated attackers to escalate privileges to admin-level a
Stored Cross-Site Scripting in Red Hat Build of Keycloak lets an authenticated administrator with `manage-client` permis
Open redirect in Red Hat Build of Keycloak allows authenticated attackers with control over another path on the same web
Same weakness CWE-266 – Incorrect Privilege Assignment
View allSame technique Privilege Escalation
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32710
GHSA-32h4-44jj-c5vx