No analysis available yet.
Vendor Workaround
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.
Tracking
Sign in to view the affected projects.
No advisories yet.
Fri, 17 Jul 2026 17:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Weaknesses | CWE-862 | |
| Metrics |
ssvc
|
Fri, 17 Jul 2026 16:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | A flaw was found in the admin REST API of Keycloak, a solution for identity and access management. The issue occurs when a delegated administrator attempts to remove a child role from a composite role. Due to missing authorization checks, an attacker with limited administrative permissions can remove privileged roles they are not authorized to manage, leading to a loss of access for other users and administrators. | |
| Title | Keycloak-services: keycloak-services: incorrect authorization in admin role-composite deletion allows delegated admin to remove privileged child roles | |
| First Time appeared |
Redhat
Redhat build Keycloak Redhat jboss Data Grid Redhat jbosseapxp Redhat red Hat Single Sign On |
|
| CPEs | cpe:/a:redhat:build_keycloak: cpe:/a:redhat:jboss_data_grid:8 cpe:/a:redhat:jbosseapxp cpe:/a:redhat:red_hat_single_sign_on:7 |
|
| Vendors & Products |
Redhat
Redhat build Keycloak Redhat jboss Data Grid Redhat jbosseapxp Redhat red Hat Single Sign On |
|
| References |
| |
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: redhat
Published:
Updated: 2026-07-17T16:53:32.052Z
Reserved: 2026-07-17T14:53:02.339Z
Link: CVE-2026-16106
Updated: 2026-07-17T16:53:26.876Z
No data.
No data.
OpenCVE Enrichment
No data.
-
CWE-862
Missing Authorization