CVE-2026-9795
HighCVSS 7.3Exploitation Probability (EPSS)
Low risk21th percentile - higher than 21% of all known CVEs
Summary
A flaw was found in Keycloak's Fine-Grained Admin Permissions (FGAPv2) feature. An administrator with limited client management permissions can assign any realm role, including highly privileged ones, to a client's scope mapping. This bypasses security controls and injects the role into a user's authentication token.
Risk Assessment
The risk is unauthorized privilege escalation within the Keycloak realm, potentially allowing attackers to access resources and functions reserved for administrators.
Recommendation
Immediately update Keycloak to a patched version and review/restrict client administrator permissions in the FGAPv2 configuration.
Original NVD description (English source)
A flaw was found in Keycloak's Fine-Grained Admin Permissions (FGAPv2) feature. An administrator with limited client management permissions can exploit this vulnerability to assign any realm role, including highly privileged roles, to a client's scope mapping. This bypasses intended security controls, allowing the injected role to be projected into a user's authentication token when they access the modified client. This could lead to unauthorized privilege escalation within the Keycloak realm.

