Impact
A flaw in the admin‑ui‑ext component of Keycloak allows a delegated administrator with limited permissions to remove highly privileged roles from other users or groups through bulk role‑removal endpoints that do not perform granular permission checks. This can compromise the integrity of the access control model, permitting an attacker to revoke or alter roles that grant broad administrative privileges.
Affected Systems
The vulnerability affects Red Hat’s Build of Keycloak and the Red Hat JBoss Enterprise Application Platform Expansion Pack. No specific version information is supplied in the advisory, so all currently running instances of these products may be impacted until a patch is applied.
Risk and Exploitability
The CVSS score of 4.9 indicates a moderate severity. EPSS is not available, and the issue is not listed in the CISA KEV catalog, suggesting no known active exploitation yet. The likely attack vector requires an authenticated delegated administrator user; an attacker with such an account can exploit the privilege‑bypass issue to revoke or alter critical role mappings.
OpenCVE Enrichment