31 matches found
CVE-2026-4629
A flaw was found in Keycloak. A highly privileged user with manage-clients permission can exploit this vulnerability by injecting a hardcoded role mapper into any client. This action allows the user to bypass existing scope restrictions and inject the realm-admin role into generated tokens,...
EUVD-2026-40300
A flaw was found in Keycloak. A highly privileged user with manage-clients permission can exploit this vulnerability by injecting a hardcoded role mapper into any client. This action allows the user to bypass existing scope restrictions and inject the realm-admin role into generated tokens,...
CVE-2026-4629 Keycloak: keycloak: privilege escalation through hardcoded role mapper injection
A flaw was found in Keycloak. A highly privileged user with manage-clients permission can exploit this vulnerability by injecting a hardcoded role mapper into any client. This action allows the user to bypass existing scope restrictions and inject the realm-admin role into generated tokens,...
EUVD-2026-32716
A flaw was found in Keycloak. An authenticated administrator with the manage-clients role can exploit a Time-of-check to time-of-use TOCTOU vulnerability in the name-based admin role checks. This allows the attacker to escalate their privileges to realm-admin for all users within the realm,...
CVE-2026-9796
This CVE (CVE-2026-9796) affects Keycloak. An authenticated administrator with the manage-clients role can trigger a TOCTOU flaw in the name-based admin role checks, allowing escalation to realm-admin for all users in the realm. The compromised composite role relationship persists after the attac...
CVE-2026-9796 Keycloak: keycloak: privilege escalation via time-of-check to time-of-use (toctou) vulnerability
A flaw was found in Keycloak. An authenticated administrator with the manage-clients role can exploit a Time-of-check to time-of-use TOCTOU vulnerability in the name-based admin role checks. This allows the attacker to escalate their privileges to realm-admin for all users within the realm,...
CVE-2026-9796 Keycloak: keycloak: privilege escalation via time-of-check to time-of-use (toctou) vulnerability
A flaw was found in Keycloak. An authenticated administrator with the manage-clients role can exploit a Time-of-check to time-of-use TOCTOU vulnerability in the name-based admin role checks. This allows the attacker to escalate their privileges to realm-admin for all users within the realm,...
CVE-2026-9796
A flaw was found in Keycloak. An authenticated administrator with the manage-clients role can exploit a Time-of-check to time-of-use TOCTOU vulnerability in the name-based admin role checks. This allows the attacker to escalate their privileges to realm-admin for all users within the realm,...
PT-2026-44187
Name of the Vulnerable Software and Affected Versions Keycloak affected versions not specified Description An authenticated administrator possessing the manage-clients role can exploit a Time-of-check to time-of-use TOCTOU flaw in name-based admin role checks. TOCTOU is a race condition where a...
Keycloak 安全漏洞
Keycloak is an open-source identity and access management solution developed by Keycloak itself. There is a security vulnerability in Keycloak. This vulnerability stems from the fact that authenticated administrators with the manage-clients role can exploit the vulnerability in the name-based...
keycloak: org.keycloak/keycloak-services: Keycloak: Privilege escalation via manage-clients permission
A flaw was found in Keycloak. An administrator with manage-clients permission can exploit a misconfiguration where this permission is equivalent to manage-permissions. This allows the administrator to escalate privileges and gain control over roles, users, or other administrative functions within...
EUVD-2026-16307
A flaw was found in Keycloak. An administrator with manage-clients permission can exploit a misconfiguration where this permission is equivalent to manage-permissions. This allows the administrator to escalate privileges and gain control over roles, users, or other administrative functions within...
Keycloak: manage-clients permission escalates to full realm admin access
A flaw was found in Keycloak. An administrator with manage-clients permission can exploit a misconfiguration where this permission is equivalent to manage-permissions. This allows the administrator to escalate privileges and gain control over roles, users, or other administrative functions within...
GHSA-7XF9-4JFC-WGM4 Keycloak: manage-clients permission escalates to full realm admin access
A flaw was found in Keycloak. An administrator with manage-clients permission can exploit a misconfiguration where this permission is equivalent to manage-permissions. This allows the administrator to escalate privileges and gain control over roles, users, or other administrative functions within...
CVE-2026-3121
A flaw was found in Keycloak. An administrator with manage-clients permission can exploit a misconfiguration where this permission is equivalent to manage-permissions. This allows the administrator to escalate privileges and gain control over roles, users, or other administrative functions within...
CVE-2026-3121 Keycloak: org.keycloak/keycloak-services: keycloak: privilege escalation via manage-clients permission
A flaw was found in Keycloak. An administrator with manage-clients permission can exploit a misconfiguration where this permission is equivalent to manage-permissions. This allows the administrator to escalate privileges and gain control over roles, users, or other administrative functions within...
CVE-2026-3121
A flaw was found in Keycloak. An administrator with manage-clients permission can exploit a misconfiguration where this permission is equivalent to manage-permissions. This allows the administrator to escalate privileges and gain control over roles, users, or other administrative functions within...
CVE-2026-3121 Keycloak: org.keycloak/keycloak-services: keycloak: privilege escalation via manage-clients permission
A flaw was found in Keycloak. An administrator with manage-clients permission can exploit a misconfiguration where this permission is equivalent to manage-permissions. This allows the administrator to escalate privileges and gain control over roles, users, or other administrative functions within...
CVE-2026-3121
CVE-2026-3121 describes privilege escalation in Keycloak where an administrator with manage-clients permission can leverage a misconfiguration to gain full realm admin access when realm-level admin permissions are enabled. Connected Red Hat advisories (RHSA-2026:6478, RHSA-6477, and RHSA-6477-CVE...
PT-2026-28426
Name of the Vulnerable Software and Affected Versions Keycloak affected versions not specified Description A flaw exists in Keycloak where an administrator possessing manage-clients permission can exploit a misconfiguration. This misconfiguration arises when the manage-clients permission is...