CVE-2026-9795
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N
Summary
A flaw was found in Keycloak's Fine-Grained Admin Permissions (FGAPv2) feature. An administrator with limited client management permissions can exploit this vulnerability to assign any realm role, including highly privileged roles, to a client's scope mapping. This bypasses intended security controls, allowing the injected role to be projected into a user's authentication token when they access the modified client. This could lead to unauthorized privilege escalation within the Keycloak realm.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Red Hat | Red Hat build of Keycloak 26.4 | 26.4.13-1 < * | unaffected |
| Red Hat | Red Hat build of Keycloak 26.4 | 26.4-19 < * | unaffected |
| Red Hat | Red Hat build of Keycloak 26.4 | 26.4-19 < * | unaffected |
| Red Hat | Red Hat build of Keycloak 26.6 | 26.6.4-2 < * | unaffected |
| Red Hat | Red Hat build of Keycloak 26.6 | 26.6-8 < * | unaffected |
| Red Hat | Red Hat build of Keycloak 26.6 | 26.6-8 < * | unaffected |
Weaknesses
- CWE-266: Incorrect Privilege Assignment
Workarounds
To mitigate this issue, disable the Fine-Grained Admin Permissions (FGAPv2) feature in Keycloak if it is not strictly required. This can typically be done by setting adminPermissionsEnabled to false in the realm configuration. Disabling FGAPv2 will prevent the exploitation of this flaw by removing the vulnerable functionality. However, this may impact administrative delegation capabilities within Keycloak. A restart or reload of the Keycloak service may be required for the changes to take effect.
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
keycloak: Keycloak: Privilege escalation via improper scope mapping enforcement
Additional References
- https://access.redhat.com/security/cve/CVE-2026-9795
- https://bugzilla.redhat.com/show_bug.cgi?id=2482462
- https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-9795.json
- https://access.redhat.com/errata/RHSA-2026:30050
- https://access.redhat.com/errata/RHSA-2026:30084
- https://access.redhat.com/errata/RHSA-2026:30049
- https://access.redhat.com/errata/RHSA-2026:30083
References
- https://access.redhat.com/errata/RHSA-2026:30049
- https://access.redhat.com/errata/RHSA-2026:30050
- https://access.redhat.com/errata/RHSA-2026:30083
- https://access.redhat.com/errata/RHSA-2026:30084
- https://access.redhat.com/security/cve/CVE-2026-9795
- https://bugzilla.redhat.com/show_bug.cgi?id=2482462
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.