EUVD-2026-32710
GHSA-8hcx-p7m8-gc28
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N
Lifecycle Timeline
1DescriptionNVD
A flaw was found in Keycloak's Fine-Grained Admin Permissions (FGAPv2) feature. An administrator with limited client management permissions can exploit this vulnerability to assign any realm role, including highly privileged roles, to a client's scope mapping. This bypasses intended security controls, allowing the injected role to be projected into a user's authentication token when they access the modified client. This could lead to unauthorized privilege escalation within the Keycloak realm.
AnalysisAI
Privilege escalation in Keycloak's Fine-Grained Admin Permissions v2 (FGAPv2) allows an administrator with only limited client-management rights to attach arbitrary realm roles - including highly privileged ones - to a client's scope mappings, causing those roles to be injected into user authentication tokens that traverse the modified client. The flaw affects the Red Hat Build of Keycloak per the vendor advisory and has no public exploit identified at time of analysis, but the high-privilege admin pivot makes it operationally significant in multi-tenant identity deployments.
Sign in for full analysis, threat intelligence, and remediation guidance.
RemediationAI
Within 24 hours: Enumerate all Keycloak instances in production and document which administrators hold Fine-Grained Admin Permissions v2 access. Within 7 days: Audit all existing client scope mappings for unauthorized realm role attachments; restrict FGAPv2 access to only essential personnel; implement mandatory approval and logging for scope mapping modifications. …
Sign in for detailed remediation steps.
Share
External POC / Exploit Code
Leaving vuln.today