Privilege Escalation Vulnerability in Keycloak's Fine-Grained Admin Permissions
CVE-2026-9795

7.3HIGH

Key Information:

Vendor: Red Hat
Status: Red Hat Build Of Keycloak
Vendor: CVE Published:; 28 May 2026

What is CVE-2026-9795?

A significant flaw exists in the Fine-Grained Admin Permissions (FGAPv2) feature of Keycloak. This vulnerability allows an administrator with restricted client management permissions to exploit the system by assigning any realm role to a client's scope mapping. As a result, this bypasses the intended security controls within the platform. When a user accesses the compromised client, the injected role is projected into their authentication token, which could facilitate unwanted privilege escalation within the Keycloak realm, potentially leading to unauthorized access and manipulation of sensitive resources.

References

https://access.redhat.com/security/cve/CVE-2026-9795

vdb-entryx_refsource_REDHAT

https://bugzilla.redhat.com/show_bug.cgi?id=2482462

issue-trackingx_refsource_REDHAT

CVSS V3.1

Score:

7.3

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

High

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 28, 2026
Vulnerability Reserved
May 28, 2026

Credit

Red Hat would like to thank Andrej Tomci for reporting this issue.

CVE-2026-9795 Data

JSON