Lucene search
K

19 matches found

EUVD
EUVD
added 2026/06/30 12:0 p.m.6 views

EUVD-2026-40300

A flaw was found in Keycloak. A highly privileged user with manage-clients permission can exploit this vulnerability by injecting a hardcoded role mapper into any client. This action allows the user to bypass existing scope restrictions and inject the realm-admin role into generated tokens,...

6.5CVSS5.7AI score0.0024EPSS
Exploits1References2
CVE
CVE
added 2026/06/30 12:0 p.m.19 views

CVE-2026-4629

CVE-2026-4629 affects Keycloak. A highly privileged user with the ability to manage clients can inject a hardcoded role mapper into any client, bypassing scope restrictions and injecting the realm-admin role into generated tokens, yielding full administrative access to the realm. The vulnerabilit...

6.5CVSS5.7AI score0.0024EPSS
Exploits1References2Affected Software1
RedhatCVE
RedhatCVE
added 2026/06/30 12:0 p.m.7 views

CVE-2026-12388

A flaw was found in the Identity Provider IdP mapper component of Keycloak, which is used to manage how user information from external services is mapped to Keycloak users. An administrator with limited permissions to manage identity providers can exploit this flaw by creating a "Hardcoded Role"...

6.5CVSS5.6AI score0.00233EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/06/30 12:0 p.m.36 views

CVE-2026-4629 Keycloak: keycloak: privilege escalation through hardcoded role mapper injection

A flaw was found in Keycloak. A highly privileged user with manage-clients permission can exploit this vulnerability by injecting a hardcoded role mapper into any client. This action allows the user to bypass existing scope restrictions and inject the realm-admin role into generated tokens,...

6.5CVSS0.0024EPSS
Exploits1References2
Vulnrichment
Vulnrichment
added 2026/06/25 4:16 p.m.7 views

CVE-2026-9099 Keycloak: group-admin escalation to realm-admin

A flaw was found in Keycloak. A missing authorization check in the GroupResource.addChild endpoint within the Admin REST API allows an authenticated user with limited administrative privileges to reparent any existing group. When Fine-Grained Admin Permissions v2 FGAPv2 is enabled, an attacker wi...

7.7CVSS5.8AI score0.00288EPSS
Exploits0References6
Cvelist
Cvelist
added 2026/06/25 4:16 p.m.35 views

CVE-2026-9099 Keycloak: group-admin escalation to realm-admin

A flaw was found in Keycloak. A missing authorization check in the GroupResource.addChild endpoint within the Admin REST API allows an authenticated user with limited administrative privileges to reparent any existing group. When Fine-Grained Admin Permissions v2 FGAPv2 is enabled, an attacker wi...

7.7CVSS0.00288EPSS
Exploits0References6
ATTACKERKB
ATTACKERKB
added 2026/06/08 11:44 a.m.8 views

CVE-2026-11577

Rejected reason: The reported behavior does not constitute a privilege escalation. Exploitation requires the attacker to already possess the manage-realm administrative role within the realm-management client. By design, the manage-realm role is intended to be equivalent in administrative authori...

6AI score0.00329EPSS
Exploits0References4
NVD
NVD
added 2026/05/28 5:16 a.m.16 views

CVE-2026-9796

A flaw was found in Keycloak. An authenticated administrator with the manage-clients role can exploit a Time-of-check to time-of-use TOCTOU vulnerability in the name-based admin role checks. This allows the attacker to escalate their privileges to realm-admin for all users within the realm,...

6.5CVSS0.00186EPSS
Exploits0References2
EUVD
EUVD
added 2026/05/28 4:27 a.m.11 views

EUVD-2026-32716

A flaw was found in Keycloak. An authenticated administrator with the manage-clients role can exploit a Time-of-check to time-of-use TOCTOU vulnerability in the name-based admin role checks. This allows the attacker to escalate their privileges to realm-admin for all users within the realm,...

6.5CVSS5.8AI score0.00186EPSS
Exploits0References2
CVE
CVE
added 2026/05/28 4:27 a.m.82 views

CVE-2026-9796

This CVE (CVE-2026-9796) affects Keycloak. An authenticated administrator with the manage-clients role can trigger a TOCTOU flaw in the name-based admin role checks, allowing escalation to realm-admin for all users in the realm. The compromised composite role relationship persists after the attac...

6.5CVSS5.8AI score0.00186EPSS
Exploits0References2Affected Software1
Positive Technologies
Positive Technologies
added 2026/05/28 12:0 a.m.13 views

PT-2026-44187

Name of the Vulnerable Software and Affected Versions Keycloak affected versions not specified Description An authenticated administrator possessing the manage-clients role can exploit a Time-of-check to time-of-use TOCTOU flaw in name-based admin role checks. TOCTOU is a race condition where a...

6.5CVSS5.8AI score0.00186EPSS
Exploits0References4
CNNVD
CNNVD
added 2026/05/28 12:0 a.m.18 views

Keycloak 安全漏洞

Keycloak is an open-source identity and access management solution developed by Keycloak itself. There is a security vulnerability in Keycloak. This vulnerability stems from the fact that authenticated administrators with the manage-clients role can exploit the vulnerability in the name-based...

6.5CVSS5.8AI score0.00186EPSS
Exploits0References2
OSV
OSV
added 2026/03/26 9:31 p.m.2 views

GHSA-7XF9-4JFC-WGM4 Keycloak: manage-clients permission escalates to full realm admin access

A flaw was found in Keycloak. An administrator with manage-clients permission can exploit a misconfiguration where this permission is equivalent to manage-permissions. This allows the administrator to escalate privileges and gain control over roles, users, or other administrative functions within...

6.5CVSS5.8AI score0.00471EPSS
Exploits0References8
Github Security Blog
Github Security Blog
added 2026/03/26 9:31 p.m.4 views

Keycloak: manage-clients permission escalates to full realm admin access

A flaw was found in Keycloak. An administrator with manage-clients permission can exploit a misconfiguration where this permission is equivalent to manage-permissions. This allows the administrator to escalate privileges and gain control over roles, users, or other administrative functions within...

7.2CVSS5.8AI score0.00471EPSS
Exploits0References8Affected Software1
Tenable Nessus
Tenable Nessus
added 2025/08/19 12:0 a.m.7 views

Linux Distros Unpatched Vulnerability : CVE-2025-4404

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A privilege escalation from host to domain vulnerability was found in the FreeIPA project. The FreeIPA package fails to validate the uniqueness of the...

9.1CVSS7.5AI score0.01827EPSS
Exploits1References3
RedHat Linux
RedHat Linux
added 2025/07/29 1:35 a.m.3 views

org.keycloak/keycloak-services: Privilege Escalation in Keycloak Admin Console (FGAPv2 Enabled)

A flaw was found in the Keycloak identity and access management system when Fine-Grained Admin PermissionsFGAPv2 are enabled. An administrative user with the manage-users role can escalate their privileges to realm-admin due to improper privilege enforcement. This vulnerability allows unauthorize...

6.5CVSS5.8AI score0.00368EPSS
Exploits0References5
Veracode
Veracode
added 2025/07/25 6:35 a.m.8 views

Privilege Escalation

org.keycloak, keycloak-services is vulnerable to privilege escalation. The vulnerability is due to improper privilege enforcement when Fine-Grained Admin Permissions FGAPv2 are enabled, which allows an attacker with the manage-users role to escalate privileges to realm-admin...

6.5CVSS6.4AI score0.00368EPSS
Exploits0References10Affected Software1
Snyk
Snyk
added 2025/07/18 3:31 p.m.2 views

Improper Privilege Management

Overview org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Improper Privilege Management via improper privilege enforcement in the Fine-Grained Admin Permissions proces...

6.5CVSS6.8AI score0.00368EPSS
Exploits0References2
NCSC
NCSC
added 2025/07/18 1:12 p.m.6 views

Vulnerability fixed in Keycloak

Red Hat has fixed a vulnerability in Keycloak. The vulnerability is in the way Keycloak handles privileged users. A privileged user can gain full administrative control over a realm, which can lead to unauthorized changes to user roles and configurations. This is especially risky in environments...

6.5CVSS6.9AI score0.00368EPSS
Exploits0References2
Rows per page
Query Builder