Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-12388

CVE-2026-12388: Keycloak Authorization Bypass Vulnerability

CVE-2026-12388 is an authorization bypass flaw in Redhat Build Of Keycloak that allows restricted administrators to escalate privileges to realm-admin. This post covers technical details, affected versions, and mitigations.

Published:

CVE-2026-12388 Overview

CVE-2026-12388 is a privilege escalation vulnerability in the Identity Provider (IdP) mapper component of Red Hat build of Keycloak. The IdP mapper controls how user attributes from external identity services are mapped to Keycloak users. An administrator with limited identity provider management permissions can create a Hardcoded Role mapper that assigns high-privilege roles such as realm-admin to themselves or other users. This action bypasses realm authorization checks and grants full administrative control over the entire realm. The flaw is tracked under CWE-266: Incorrect Privilege Assignment.

Critical Impact

A restricted Keycloak administrator can escalate to realm-admin by abusing the Hardcoded Role IdP mapper, compromising realm-wide identity and access management.

Affected Products

  • Red Hat build of Keycloak
  • Deployments using the Identity Provider mapper component
  • Realms exposing IdP management to delegated administrators

Discovery Timeline

  • 2026-06-30 - CVE-2026-12388 published to NVD
  • 2026-07-01 - Last updated in NVD database

Technical Details for CVE-2026-12388

Vulnerability Analysis

The vulnerability resides in how Keycloak evaluates permissions when a delegated administrator configures IdP mappers. Keycloak allows administrators with the manage-identity-providers scope to create mappers that transform external identity claims into Keycloak roles, groups, and attributes. Among these mapper types, the Hardcoded Role mapper statically assigns any realm role to users who authenticate through the associated identity provider.

Keycloak fails to validate whether the acting administrator holds the roles they attempt to assign through the mapper. As a result, a low-scope administrator can select high-privilege roles such as realm-admin when defining the mapper. When a user subsequently authenticates via that identity provider, Keycloak assigns the hardcoded role and effectively grants realm-wide control.

Root Cause

The root cause is missing authorization enforcement on role assignment through the IdP mapper configuration API. Keycloak treats the mapper configuration as an administrative action gated only by manage-identity-providers, without cross-checking that the assigning principal already possesses the target role. This violates the principle of least privilege and enables horizontal-to-vertical privilege escalation within the realm.

Attack Vector

An attacker requires an authenticated administrative account with permission to manage identity providers. The attacker creates or edits an existing identity provider, then adds a Hardcoded Role mapper referencing a privileged role such as realm-admin, create-client, or manage-users. When any user, including the attacker, authenticates through the manipulated identity provider, Keycloak applies the mapper and grants the elevated role. The attacker then holds full administrative authority over the realm, including user management, client configuration, and token issuance.

No verified public exploit code is available at this time. Refer to the Red Hat CVE-2026-12388 advisory for authoritative technical details.

Detection Methods for CVE-2026-12388

Indicators of Compromise

  • Creation or modification of Hardcoded Role IdP mappers referencing privileged roles such as realm-admin, manage-realm, or manage-users.
  • Unexpected role grants to accounts that authenticated through federated identity providers.
  • Administrative API calls to /admin/realms/{realm}/identity-provider/instances/{alias}/mappers from accounts lacking realm-admin scope.
  • New realm role bindings appearing on user accounts immediately after IdP-based login events.

Detection Strategies

  • Audit Keycloak admin event logs for CREATE and UPDATE events on IDENTITY_PROVIDER_MAPPER resources.
  • Correlate mapper configuration changes with subsequent role assignments through the same identity provider alias.
  • Alert on any mapper of type oidc-hardcoded-role-idp-mapper or saml-hardcoded-role-idp-mapper that references administrative roles.
  • Compare the acting administrator's role set against the roles referenced in newly created mappers.

Monitoring Recommendations

  • Enable Keycloak admin events with includeRepresentation set to true to capture mapper payloads.
  • Forward Keycloak audit logs to a centralized log platform and retain them for at least 90 days.
  • Baseline the set of identity provider mappers per realm and alert on deviations.
  • Review delegated administrator accounts and their assigned fine-grained permissions on a recurring cadence.

How to Mitigate CVE-2026-12388

Immediate Actions Required

  • Apply the Red Hat build of Keycloak update referenced in the Red Hat advisory as soon as it is available for your version.
  • Enumerate all existing Hardcoded Role IdP mappers and validate that each referenced role is intentional.
  • Revoke manage-identity-providers from administrators who do not require IdP configuration authority.
  • Rotate credentials and sessions for any account that received unexpected privileged roles through IdP mappers.

Patch Information

Red Hat has published tracking information in Red Hat Bug Report #2489140 and the Red Hat CVE-2026-12388 advisory. Apply the fixed Red Hat build of Keycloak package for your deployment channel and restart the Keycloak service after upgrade. Verify the patched version through the administrative console or the /health endpoint.

Workarounds

  • Restrict manage-identity-providers to trusted realm-admin accounts only until the patch is applied.
  • Disable the Hardcoded Role mapper type in environments where it is not required, using fine-grained admin permissions.
  • Enforce mandatory review and approval for any change to identity provider configuration through change management processes.
  • Monitor and alert on realm role assignments that originate from IdP mapper execution rather than direct role grants.
bash
# Configuration example: list existing Hardcoded Role mappers per identity provider
# Requires kcadm.sh authenticated as a realm administrator
kcadm.sh get identity-provider/instances -r <realm> \
  --fields alias | \
  jq -r '.[].alias' | while read alias; do
    echo "=== Mappers for IdP: $alias ==="
    kcadm.sh get identity-provider/instances/$alias/mappers -r <realm> \
      --fields name,identityProviderMapper,config
  done

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.