CVE-2026-4629
MediumCVSS 6.5Exploitation Probability (EPSS)
Low risk15th percentile — higher than 15% of all known CVEs
Summary
A flaw was found in Keycloak where a user with `manage-clients` permission can inject a hardcoded role mapper into any client. This bypasses scope restrictions and adds the `realm-admin` role to tokens, leading to privilege escalation and full administrative access to the realm.
Risk Assessment
The organization risks complete realm takeover by a privileged user, potentially leading to unauthorized access to sensitive data and system integrity compromise.
Recommendation
Immediately update Keycloak to a patched version and review/restrict `manage-clients` permissions to trusted users only.
Original NVD description (English source)
A flaw was found in Keycloak. A highly privileged user with `manage-clients` permission can exploit this vulnerability by injecting a hardcoded role mapper into any client. This action allows the user to bypass existing scope restrictions and inject the `realm-admin` role into generated tokens, resulting in privilege escalation and full administrative access to the realm.

