Description
A flaw was found in the admin-ui-ext component of Keycloak, which provides extended administrative user interface capabilities. The issue occurs because certain bulk role-removal endpoints fail to perform granular permission checks when deleting role mappings. This allows a delegated administrator with limited permissions to remove highly privileged roles from other users or groups, potentially disrupting administrative access control.
Published: 2026-06-11
Score: 4.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the admin‑ui‑ext component of Keycloak allows a delegated administrator with limited permissions to remove highly privileged roles from other users or groups through bulk role‑removal endpoints that do not perform granular permission checks. This can compromise the integrity of the access control model, permitting an attacker to revoke or alter roles that grant broad administrative privileges.

Affected Systems

The vulnerability affects Red Hat’s Build of Keycloak and the Red Hat JBoss Enterprise Application Platform Expansion Pack. No specific version information is supplied in the advisory, so all currently running instances of these products may be impacted until a patch is applied.

Risk and Exploitability

The CVSS score of 4.9 indicates a moderate severity. EPSS is not available, and the issue is not listed in the CISA KEV catalog, suggesting no known active exploitation yet. The likely attack vector requires an authenticated delegated administrator user; an attacker with such an account can exploit the privilege‑bypass issue to revoke or alter critical role mappings.

Generated by OpenCVE AI on June 11, 2026 at 20:23 UTC.

Remediation

Vendor Workaround

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.


OpenCVE Recommended Actions

  • Upgrade to a Keycloak release that includes the fix for admin‑ui‑ext bulk role‑mapping deletion.
  • Restrict delegated administrator accounts to the minimum permissions required for their duties.
  • Audit role‑mapping changes and review activity logs for unexpected deletions.
  • Ensure the admin‑ui‑ext interface is not exposed to untrusted external networks.

Generated by OpenCVE AI on June 11, 2026 at 20:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 12 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Redhat build Of Keycloak
Redhat jboss Enterprise Application Platform Expansion Pack
Vendors & Products Redhat build Of Keycloak
Redhat jboss Enterprise Application Platform Expansion Pack

Fri, 12 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

threat_severity

Moderate


Thu, 11 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 11 Jun 2026 18:00:00 +0000

Type Values Removed Values Added
Description A flaw was found in the admin-ui-ext component of Keycloak, which provides extended administrative user interface capabilities. The issue occurs because certain bulk role-removal endpoints fail to perform granular permission checks when deleting role mappings. This allows a delegated administrator with limited permissions to remove highly privileged roles from other users or groups, potentially disrupting administrative access control.
Title Keycloak-rest-admin-ui-ext: authorization bypass vulnerability in the admin-ui-ext bulk role-mapping-delete endpoints of keycloak
First Time appeared Redhat
Redhat build Keycloak
Redhat jbosseapxp
Weaknesses CWE-425
CPEs cpe:/a:redhat:build_keycloak:
cpe:/a:redhat:jbosseapxp
Vendors & Products Redhat
Redhat build Keycloak
Redhat jbosseapxp
References
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N'}


Subscriptions

Redhat Build Keycloak Build Of Keycloak Jboss Enterprise Application Platform Expansion Pack Jbosseapxp
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-06-11T18:50:30.698Z

Reserved: 2026-06-11T14:18:10.409Z

Link: CVE-2026-11986

cve-icon Vulnrichment

Updated: 2026-06-11T18:49:48.522Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-11T18:16:25.033

Modified: 2026-06-11T20:56:29.653

Link: CVE-2026-11986

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-11T14:17:32Z

Links: CVE-2026-11986 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T20:17:58Z

Weaknesses
  • CWE-425

    Direct Request ('Forced Browsing')