CVE-2026-12388

A flaw was found in the Identity Provider IdP mapper component of Keycloak, which is used to manage how user information from external services is mapped to Keycloak users. An administrator with limited permissions to manage identity providers can exploit this flaw by creating a "Hardcoded Role"...

CVE-2026-12388

CVE-2026-12388 affects Keycloak’s Identity Provider (IdP) mapper component. A restricted administrator can abuse a misconfigured or specifically a Hardcoded Role mapper to assign high-privilege roles (e.g., realm-admin) to themselves or other users, bypassing security checks and gaining full cont...

CVE-2026-12388 Keycloak-broker: keycloak: privilege escalation to realm administrator via improper authorization in identity provider mapper

A flaw was found in the Identity Provider IdP mapper component of Keycloak, which is used to manage how user information from external services is mapped to Keycloak users. An administrator with limited permissions to manage identity providers can exploit this flaw by creating a "Hardcoded Role"...

EUVD-2026-40301

A flaw was found in the Identity Provider IdP mapper component of Keycloak, which is used to manage how user information from external services is mapped to Keycloak users. An administrator with limited permissions to manage identity providers can exploit this flaw by creating a "Hardcoded Role"...