Description
A flaw was found in Keycloak's Fine-Grained Admin Permissions (FGAPv2) feature. An administrator with limited client management permissions can exploit this vulnerability to assign any realm role, including highly privileged roles, to a client's scope mapping. This bypasses intended security controls, allowing the injected role to be projected into a user's authentication token when they access the modified client. This could lead to unauthorized privilege escalation within the Keycloak realm.
Published: 2026-05-28
Score: 7.3 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw was discovered in Keycloak's Fine‑Grained Admin Permissions (FGAPv2) feature. An administrator with limited client‑management permissions can add any realm role, including highly privileged ones, to a client’s scope mapping. This bypasses the intended role‑based access controls and allows the injected role to appear in a user’s authentication token when that user accesses the affected client, effectively granting the attacker elevated privileges within the realm.

Affected Systems

The vulnerability affects Red Hat Build of Keycloak. Version information is not provided in the advisory, so any installation using FGAPv2 may be impacted.

Risk and Exploitability

The CVSS score of 7.3 indicates a high severity, and the flaw is not listed in CISA KEV. The EPSS score is not available, but the vulnerability requires an attacker to be a user with administrative rights over client scope mappings. An attacker with such permissions can exploit the flaw through the FGAPv2 API to modify scope mappings and gain unintended access to role‑protected resources.

Generated by OpenCVE AI on May 28, 2026 at 05:22 UTC.

Remediation

Vendor Workaround

To mitigate this issue, disable the Fine-Grained Admin Permissions (FGAPv2) feature in Keycloak if it is not strictly required. This can typically be done by setting `adminPermissionsEnabled` to `false` in the realm configuration. Disabling FGAPv2 will prevent the exploitation of this flaw by removing the vulnerable functionality. However, this may impact administrative delegation capabilities within Keycloak. A restart or reload of the Keycloak service may be required for the changes to take effect.

OpenCVE Recommended Actions

  • Set the realm configuration key adminPermissionsEnabled to false to disable Fine‑Grained Admin Permissions and prevent the exploitation of this flaw.
  • Restart or reload the Keycloak service to ensure the configuration change takes effect.
  • If use of FGAPv2 is necessary, monitor the vendor’s update channel for a future patch that addresses this deficiency and apply it as soon as it becomes available.

Generated by OpenCVE AI on May 28, 2026 at 05:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 28 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 28 May 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Thu, 28 May 2026 07:30:00 +0000

Type Values Removed Values Added
First Time appeared Redhat build Of Keycloak
Vendors & Products Redhat build Of Keycloak

Thu, 28 May 2026 04:45:00 +0000

Type Values Removed Values Added
Description A flaw was found in Keycloak's Fine-Grained Admin Permissions (FGAPv2) feature. An administrator with limited client management permissions can exploit this vulnerability to assign any realm role, including highly privileged roles, to a client's scope mapping. This bypasses intended security controls, allowing the injected role to be projected into a user's authentication token when they access the modified client. This could lead to unauthorized privilege escalation within the Keycloak realm.
Title Keycloak: keycloak: privilege escalation via improper scope mapping enforcement
First Time appeared Redhat
Redhat build Keycloak
Weaknesses CWE-266
CPEs cpe:/a:redhat:build_keycloak:
Vendors & Products Redhat
Redhat build Keycloak
References
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N'}

Subscriptions

Redhat Build Keycloak Build Of Keycloak
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-05-28T13:12:24.121Z

Reserved: 2026-05-28T03:16:18.721Z

Link: CVE-2026-9795

cve-icon Vulnrichment

Updated: 2026-05-28T13:12:20.708Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-05-28T05:16:41.003

Modified: 2026-05-28T13:44:54.327

Link: CVE-2026-9795

cve-icon Redhat

Severity : Important

Publid Date: 2026-05-28T03:16:49Z

Links: CVE-2026-9795 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T07:15:11Z

Weaknesses