Keycloak-rest-admin-ui-ext: authorization bypass vulnerability in the admin-ui-ext bulk role-mapping-delete endpoints of keycloak
CVE-2026-11986

4.9MEDIUM

Key Information:

Vendor: Red Hat
Status: Red Hat Build Of Keycloak; Red Hat Jboss Enterprise Application Platform Expansion Pack
Vendor: CVE Published:; 11 June 2026

What is CVE-2026-11986?

A flaw was found in the admin-ui-ext component of Keycloak, which provides extended administrative user interface capabilities. The issue occurs because certain bulk role-removal endpoints fail to perform granular permission checks when deleting role mappings. This allows a delegated administrator with limited permissions to remove highly privileged roles from other users or groups, potentially disrupting administrative access control.

References

https://access.redhat.com/security/cve/CVE-2026-11986

vdb-entryx_refsource_REDHAT

https://bugzilla.redhat.com/show_bug.cgi?id=2487906

issue-trackingx_refsource_REDHAT

CVSS V3.1

Score:

4.9

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 11, 2026
Vulnerability Reserved
Jun 11, 2026

Credit

Red Hat would like to thank Wesley "Alardiians" Colquitt (Byteshyft Studios) for reporting this issue.

CVE-2026-11986 Data

JSON