Description
A flaw was found in the Identity Provider (IdP) mapper component of Keycloak, which is used to manage how user information from external services is mapped to Keycloak users. An administrator with limited permissions to manage identity providers can exploit this flaw by creating a "Hardcoded Role" mapper that assigns high-level administrative roles (like realm-admin) to themselves or others. This allows a restricted administrator to bypass security checks and gain full control over the entire realm.
Published: 2026-06-30
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An administrator with limited permissions to manage identity providers in Keycloak can create a hardcoded role mapper that assigns high‑level administrative roles such as realm‑admin to themselves or others. This flaw stems from improper authorization checks during mapper creation and leads to a complete loss of control over the realm, exposing all configuration, data, and other users to the attacker.

Affected Systems

The vulnerability affects the Red Hat Build of Keycloak; no specific version range is disclosed, so any installation of this product is potentially impacted until a vendor fix is applied.

Risk and Exploitability

The CVSS v3 score of 6.5 places the issue in the medium range, but the nature of the privilege escalation warrants high concern. The EPSS score is not available, so it is unclear how likely exploitation is in the wild, yet the flaw does not require external network exposure, inferring an internal or privileged‑user attack vector. The vulnerability is not listed in the CISA KEV catalogue, but the lack of a public KEV status does not mitigate the risk. Detection would involve monitoring for unauthorized mapper creation and the assignment of high‑privilege roles. Attackers could then operate with realm‑administrator authority, compromising configuration, data, and all other users.

Generated by OpenCVE AI on June 30, 2026 at 13:21 UTC.

Remediation

Vendor Workaround

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.

OpenCVE Recommended Actions

  • Apply the vendor’s official patch or upgrade to the latest Red Hat Build of Keycloak that contains the fix for this privilege escalation flaw.
  • Limit the ability to create identity provider mappers to users with full realm‑admin rights; disable or restrict hardcoded role mappers for lower‑privilege administrators.
  • Monitor authentication and mapper configuration logs for unexpected creation of identity provider mappers or assignment of high‑level roles, and investigate any anomalies promptly.

Generated by OpenCVE AI on June 30, 2026 at 13:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 30 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Redhat build Of Keycloak
Vendors & Products Redhat build Of Keycloak

Tue, 30 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 30 Jun 2026 12:30:00 +0000

Type Values Removed Values Added
Description A flaw was found in the Identity Provider (IdP) mapper component of Keycloak, which is used to manage how user information from external services is mapped to Keycloak users. An administrator with limited permissions to manage identity providers can exploit this flaw by creating a "Hardcoded Role" mapper that assigns high-level administrative roles (like realm-admin) to themselves or others. This allows a restricted administrator to bypass security checks and gain full control over the entire realm.
Title Keycloak-broker: keycloak: privilege escalation to realm administrator via improper authorization in identity provider mapper
First Time appeared Redhat
Redhat build Keycloak
Weaknesses CWE-266
CPEs cpe:/a:redhat:build_keycloak:
Vendors & Products Redhat
Redhat build Keycloak
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Redhat Build Keycloak Build Of Keycloak
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-06-30T15:58:24.834Z

Reserved: 2026-06-16T11:41:17.075Z

Link: CVE-2026-12388

cve-icon Vulnrichment

Updated: 2026-06-30T14:19:01.444Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-30T20:30:04Z

Weaknesses
  • CWE-266

    Incorrect Privilege Assignment