CVE-2026-11986 MEDIUM

CVE-2026-11986: Keycloak-rest-admin-ui-ext: authorization bypass vulnerability in the admin-ui-ext bulk role-mapping-delete endpoints of keycloak

Vendor Red Hat
Product Red Hat Build of Keycloak
Weakness CWE-425 · Forced browsing
Published June 11, 2026
Last update June 11, 2026

CVSS base score

4.9/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality None
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N

What the vulnerability does

01Description

A flaw was found in the admin-ui-ext component of Keycloak, which provides extended administrative user interface capabilities. The issue occurs because certain bulk role-removal endpoints fail to perform granular permission checks when deleting role mappings. This allows a delegated administrator with limited permissions to remove highly privileged roles from other users or groups, potentially disrupting administrative access control.

Key dates

02Disclosure timeline

June 11, 2026 CVE published
June 11, 2026 Record updated