Authorization Flaw in Keycloak Admin REST API
CVE-2026-16106
4.9MEDIUM
What is CVE-2026-16106?
A vulnerability in the Keycloak admin REST API allows attackers with limited administrative permissions to remove child roles from composite roles without adequate authorization checks. This flaw can enable unauthorized changes to user access, compromising the integrity of role management and potentially disrupting service for other users and administrators. It highlights the importance of robust authorization protocols in identity and access management systems.
References
CVSS V3.1
Score:
4.9
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged
Timeline
Vulnerability published
Vulnerability Reserved
Credit
Red Hat would like to thank Owais Lone (thesecguy) - Independent Security Researcher for reporting this issue.