CVE Catalog

CVE-2026-4629

MediumCVSS 6.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.24%

15th percentile — higher than 15% of all known CVEs

Summary

A flaw was found in Keycloak where a user with `manage-clients` permission can inject a hardcoded role mapper into any client. This bypasses scope restrictions and adds the `realm-admin` role to tokens, leading to privilege escalation and full administrative access to the realm.

Risk Assessment

The organization risks complete realm takeover by a privileged user, potentially leading to unauthorized access to sensitive data and system integrity compromise.

Recommendation

Immediately update Keycloak to a patched version and review/restrict `manage-clients` permissions to trusted users only.

Original NVD description (English source)

A flaw was found in Keycloak. A highly privileged user with `manage-clients` permission can exploit this vulnerability by injecting a hardcoded role mapper into any client. This action allows the user to bypass existing scope restrictions and inject the `realm-admin` role into generated tokens, resulting in privilege escalation and full administrative access to the realm.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS