CVE Catalog

CVE-2026-9795

HighCVSS 7.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.29%

21th percentile - higher than 21% of all known CVEs

Summary

A flaw was found in Keycloak's Fine-Grained Admin Permissions (FGAPv2) feature. An administrator with limited client management permissions can assign any realm role, including highly privileged ones, to a client's scope mapping. This bypasses security controls and injects the role into a user's authentication token.

Risk Assessment

The risk is unauthorized privilege escalation within the Keycloak realm, potentially allowing attackers to access resources and functions reserved for administrators.

Recommendation

Immediately update Keycloak to a patched version and review/restrict client administrator permissions in the FGAPv2 configuration.

Original NVD description (English source)

A flaw was found in Keycloak's Fine-Grained Admin Permissions (FGAPv2) feature. An administrator with limited client management permissions can exploit this vulnerability to assign any realm role, including highly privileged roles, to a client's scope mapping. This bypasses intended security controls, allowing the injected role to be projected into a user's authentication token when they access the modified client. This could lead to unauthorized privilege escalation within the Keycloak realm.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS