Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-9795

CVE-2026-9795: Keycloak Privilege Escalation Vulnerability

CVE-2026-9795 is a privilege escalation flaw in Keycloak's Fine-Grained Admin Permissions feature that lets limited admins assign privileged roles to clients. This post covers technical details, impact, and mitigation.

Published:

CVE-2026-9795 Overview

CVE-2026-9795 affects Keycloak's Fine-Grained Admin Permissions version 2 (FGAPv2) feature. The flaw enables an administrator with limited client management permissions to assign any realm role, including highly privileged roles, to a client's scope mapping. The injected role is then projected into a user's authentication token when the user accesses the modified client. This results in unauthorized privilege escalation within the Keycloak realm and bypasses the intended boundary enforced by FGAPv2. The weakness is classified as [CWE-266] Incorrect Privilege Assignment.

Critical Impact

A delegated administrator with scoped client permissions can elevate any user's effective privileges to realm-admin level by injecting privileged realm roles into a client scope mapping.

Affected Products

  • Red Hat Keycloak (FGAPv2 feature)
  • Red Hat build of Keycloak
  • Red Hat Single Sign-On distributions incorporating FGAPv2

Discovery Timeline

  • 2026-05-28 - CVE CVE-2026-9795 published to NVD
  • 2026-05-28 - Last updated in NVD database

Technical Details for CVE-2026-9795

Vulnerability Analysis

Keycloak's FGAPv2 feature delegates a subset of administrative actions to non-superuser administrators. The authorization model is intended to restrict each delegated admin to the resources and actions explicitly granted. This vulnerability breaks that boundary at the client scope mapping endpoint. An administrator with manage-clients or equivalent narrowly scoped client permissions can attach any realm role to a client's scope, even roles the administrator cannot otherwise assign.

When a user authenticates against the modified client, Keycloak projects roles from the client's scope into the issued access token. The injected privileged role appears in the token's realm_access.roles claim. Downstream applications and the Keycloak admin API honor that claim, granting the user permissions far beyond what the delegated administrator should be able to confer.

The network attack vector requires high privileges and user interaction by a victim who subsequently authenticates against the tampered client. The scope is changed because privileges granted through the manipulated token extend beyond the security authority of the vulnerable component.

Root Cause

The root cause is missing authorization enforcement on the role-to-scope mapping path within FGAPv2. The endpoint that assigns a realm role to a client's scope mapping does not verify that the calling administrator holds permission over the realm role being assigned. It only validates permission over the target client. This asymmetric check is the privilege assignment flaw described by [CWE-266].

Attack Vector

The attacker authenticates as a delegated administrator with client management rights over at least one client. The attacker calls the Keycloak Admin REST API to add a privileged realm role, such as admin or realm-admin, to the target client's scope mapping. The attacker then waits for, or socially engineers, a user with access to that client to authenticate. The user's resulting access token contains the injected role, and the user, or the attacker leveraging that user's session, performs privileged operations.

No verified public exploit code is available. See the Red Hat CVE-2026-9795 Advisory and Red Hat Bug Report #2482462 for vendor technical details.

Detection Methods for CVE-2026-9795

Indicators of Compromise

  • Keycloak admin event logs containing CLIENT_SCOPE_MAPPING or CLIENT_ROLE_MAPPING create operations performed by non-superuser administrators.
  • Realm roles such as admin, realm-admin, manage-users, or manage-realm newly attached to client scope mappings without a corresponding change-management ticket.
  • Access tokens issued to standard users that contain privileged realm roles in the realm_access.roles claim.
  • Sudden appearance of administrative API calls authenticated by tokens belonging to non-administrative user accounts.

Detection Strategies

  • Enable Keycloak admin events and stream them to a centralized logging platform. Alert on any ROLE_MAPPING event where the assigned role is in a privileged-role allowlist.
  • Correlate admin events that modify client scope mappings with the assigning administrator's role inventory. Flag cases where the administrator does not hold the assigned role directly.
  • Inspect issued tokens at the application or API gateway layer for unexpected privileged claims relative to the authenticated subject.

Monitoring Recommendations

  • Baseline the set of realm roles attached to each client scope mapping and alert on deviations.
  • Monitor the Keycloak Admin REST API endpoints /admin/realms/{realm}/clients/{id}/scope-mappings/realm for POST requests by delegated administrators.
  • Review FGAPv2 permission grants quarterly and reduce client management permissions to the minimum required.

How to Mitigate CVE-2026-9795

Immediate Actions Required

  • Audit all client scope mappings in every realm and remove privileged realm roles that are not required by the client.
  • Revoke delegated client management permissions from administrators who do not strictly require them until the patched version is deployed.
  • Rotate sessions and revoke refresh tokens for users who authenticated against clients whose scope mappings were modified during the exposure window.
  • Apply vendor updates as soon as they are available from Red Hat for Keycloak and Red Hat build of Keycloak.

Patch Information

Refer to the Red Hat CVE-2026-9795 Advisory for the authoritative list of fixed package versions and errata. The associated tracking record is the Red Hat Bug Report #2482462. Patched Keycloak builds enforce that an administrator may only assign realm roles to a client scope mapping when the administrator already possesses authority over those roles.

Workarounds

  • Disable the FGAPv2 feature where operationally feasible and revert to the standard admin role model until patches are applied.
  • Restrict client management permissions so that no delegated administrator can modify clients used by high-value users or administrators.
  • Add a token-issuance policy at the application layer that rejects tokens carrying privileged realm roles for users outside an approved list.
bash
# Example: list realm roles currently attached to a client's scope mapping
# Replace REALM, CLIENT_ID, and TOKEN with environment-specific values
curl -s -H "Authorization: Bearer ${TOKEN}" \
  "https://keycloak.example.com/admin/realms/${REALM}/clients/${CLIENT_ID}/scope-mappings/realm" \
  | jq '.[].name'

# Remove an unauthorized privileged role from the client scope mapping
curl -s -X DELETE -H "Authorization: Bearer ${TOKEN}" \
  -H "Content-Type: application/json" \
  -d '[{"id":"<role-uuid>","name":"realm-admin"}]' \
  "https://keycloak.example.com/admin/realms/${REALM}/clients/${CLIENT_ID}/scope-mappings/realm"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne