CVE-2026-9795 HIGH

CVE-2026-9795: Keycloak: keycloak: privilege escalation via improper scope mapping enforcement

Vendor Red Hat
Product Red Hat build of Keycloak 26.4.13
Weakness CWE-266
Published May 28, 2026
Last update June 30, 2026

CVSS base score

7.3/10
Attack vector Network
Attack complexity High
Privileges required High
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N

What the vulnerability does

01Description

A flaw was found in Keycloak's Fine-Grained Admin Permissions (FGAPv2) feature. An administrator with limited client management permissions can exploit this vulnerability to assign any realm role, including highly privileged roles, to a client's scope mapping. This bypasses intended security controls, allowing the injected role to be projected into a user's authentication token when they access the modified client. This could lead to unauthorized privilege escalation within the Keycloak realm.

Key dates

02Disclosure timeline

May 28, 2026 CVE published
June 30, 2026 Record updated