CVE-2026-4629 - Vulnerability Details

Description

A flaw was found in Keycloak. A highly privileged user with `manage-clients` permission can exploit this vulnerability by injecting a hardcoded role mapper into any client. This action allows the user to bypass existing scope restrictions and inject the `realm-admin` role into generated tokens, resulting in privilege escalation and full administrative access to the realm.

Published: 2026-06-30

Score: 6.5 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

A flaw in Red Hat Build of Keycloak allows a user with manage-clients permission to inject a hardcoded role mapper into a client. This injection bypasses existing scope restrictions and injects the realm-admin role into tokens, granting full administrative access to the realm. The vulnerability lies in improper authorization controls (CWE-266). The impact is the ability of an attacker with sufficient permissions to gain unrestricted administrative privileges within the affected realm, potentially compromising all data and services under that realm.

Affected Systems

The vulnerability affects Red Hat Build of Keycloak. No specific version numbers are listed in the advisory. The flaw can affect any deployment of this product where the manage-clients permission is assigned to users or roles that are not strictly necessary.

Risk and Exploitability

The CVSS score is 6.5, indicating a moderate to high severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. The attack vector requires an attacker to possess a user or role with the manage-clients permission within the same realm. An attacker who can act as such a privileged user can modify client configuration and inject the role mapper, achieving privilege escalation to realm-admin. Because the prerequisite is a privileged role, the vulnerability is less likely to be exploited remotely, but it poses a significant risk to internal users who may have been granted excessive permissions.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor	Product	Default status	Versions
Red Hat	Red Hat Build of Keycloak	affected	—

No data.

Vendor Product Confidence Versions

Redhat

Build Keycloak

95%

Version	Status	Scheme	Platform
`—`	affected	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

Vendor Workaround

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

OpenCVE Recommended Actions

Apply any official update from Red Hat as soon as it is released; if no patch is available, follow Red Hat security advisories for interim mitigations.
Ensure only trusted administrators have the manage-clients permission and consider revoking this permission from non-essential accounts.
Audit all client configurations for injected or unexpected role mappers and remove any that grant realm-admin privileges unless explicitly required.
Monitor security logs for authorization changes and anomalous token claims to detect suspicious activity.

Generated by OpenCVE AI on June 30, 2026 at 13:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://access.redhat.com/security/cve/CVE-2026-4629
https://bugzilla.redhat.com/show_bug.cgi?id=2450244

History

Tue, 30 Jun 2026 12:30:00 +0000

Type	Values Removed	Values Added
Description		A flaw was found in Keycloak. A highly privileged user with `manage-clients` permission can exploit this vulnerability by injecting a hardcoded role mapper into any client. This action allows the user to bypass existing scope restrictions and inject the `realm-admin` role into generated tokens, resulting in privilege escalation and full administrative access to the realm.
Title		Keycloak: keycloak: privilege escalation through hardcoded role mapper injection
First Time appeared		Redhat Redhat build Keycloak
Weaknesses		CWE-266
CPEs		cpe:/a:redhat:build_keycloak:
Vendors & Products		Redhat Redhat build Keycloak
References		https://access.redhat.com/security/cve/CVE-2026-4629 https://bugzilla.redhat.com/show_bug.cgi?id=2450244
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N'}`

Subscriptions

Redhat Build Keycloak

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2026-06-30T12:00:28.631Z

Updated: 2026-06-30T12:00:28.631Z

Reserved: 2026-03-23T08:02:49.337Z

Link: CVE-2026-4629

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-30T20:45:03Z

Weaknesses

CWE-266
Incorrect Privilege Assignment

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object