Authorization Flaw in Keycloak Admin REST API
CVE-2026-16106

4.9MEDIUM

What is CVE-2026-16106?

A vulnerability in the Keycloak admin REST API allows attackers with limited administrative permissions to remove child roles from composite roles without adequate authorization checks. This flaw can enable unauthorized changes to user access, compromising the integrity of role management and potentially disrupting service for other users and administrators. It highlights the importance of robust authorization protocols in identity and access management systems.

References

CVSS V3.1

Score:
4.9
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Red Hat would like to thank Owais Lone (thesecguy) - Independent Security Researcher for reporting this issue.
.