CVE Catalog

CVE-2026-12388

MediumCVSS 6.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.23%

14th percentile — higher than 14% of all known CVEs

Summary

A flaw in the Identity Provider (IdP) mapper component of Keycloak allows an administrator with limited permissions to assign high-level administrative roles (e.g., realm-admin) to themselves or others by creating a 'Hardcoded Role' mapper. This bypasses security checks and grants full control over the entire realm.

Risk Assessment

The risk is privilege escalation by an unauthorized administrator, potentially leading to full takeover of the Keycloak realm, compromising data confidentiality and integrity, and disrupting authentication services.

Recommendation

Immediately update Keycloak to a patched version and review/restrict permissions for administrators managing identity providers to prevent creation of dangerous mappers.

Original NVD description (English source)

A flaw was found in the Identity Provider (IdP) mapper component of Keycloak, which is used to manage how user information from external services is mapped to Keycloak users. An administrator with limited permissions to manage identity providers can exploit this flaw by creating a "Hardcoded Role" mapper that assigns high-level administrative roles (like realm-admin) to themselves or others. This allows a restricted administrator to bypass security checks and gain full control over the entire realm.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS