CVE-2026-9795

high

Published 2026-05-28 · Modified 2026-06-03

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

7.3

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N

CVSS v4 NEW

—

not yet in upstream

VIR risk

7.3

Description

A flaw was found in Keycloak's Fine-Grained Admin Permissions (FGAPv2) feature. An administrator with limited client management permissions can exploit this vulnerability to assign any realm role, including highly privileged roles, to a client's scope mapping. This bypasses intended security controls, allowing the injected role to be projected into a user's authentication token when they access the modified client. This could lead to unauthorized privilege escalation within the Keycloak realm.

Predictions

Exploit likelihood

82%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

Mitigation details

Source: Red Hat Errata — Red Hat Inc. · View original ↗ · Open-Errata-API

Description keycloak: Keycloak: Privilege escalation via improper scope mapping enforcement Red Hat statement This is an Important privilege escalation flaw in Keycloak when Fine-Grained Admin Permissions (FGAPv2) are enabled. An attacker with fine-grained client management permissions can bypass role mapping restrictions, allowing them to inject arbitrary realm roles into a client's scope.…

Description

keycloak: Keycloak: Privilege escalation via improper scope mapping enforcement

Red Hat statement

This is an Important privilege escalation flaw in Keycloak when Fine-Grained Admin Permissions (FGAPv2) are enabled. An attacker with fine-grained client management permissions can bypass role mapping restrictions, allowing them to inject arbitrary realm roles into a client's scope. Subsequent authentication by a privileged user through the compromised client would then project these injected roles into their token, leading to unauthorized access. Exploitation requires specific administrative preconditions and user interaction.

CVSS v3: 7.3 (CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N)

Package state

Product	Package	State
Red Hat Build of Keycloak	`rhbk/keycloak-rhel9`	Affected

Affected

Vendor	Product	Version
redhat	Red Hat Build of Keycloak	`Affected`

Application impact

Vendor	Product	Versions	Fixed
redhat	build_of_keycloak	`-`

References

CWEs

CWE-266

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.