Listen to this Post
How CVE-2026-9795 Works
CVE-2026-9795 is a privilege escalation vulnerability found in Keycloak’s Fine-Grained Admin Permissions (FGAPv2) feature. The core issue lies in improper privilege assignment (CWE-266) during client scope mapping operations.
When FGAPv2 is enabled, administrators can be granted granular permissions limited to specific clients. The vulnerability exists because the admin REST API endpoints responsible for scope mapping (ScopeMappedResource and `ScopeMappedClientResource` write endpoints) lack a critical authorization check: they do not call `requireMapClientScope` per role.
An attacker who is an administrator with limited client management permissions can exploit this missing check. By crafting a malicious request to the admin REST API, they can assign any realm role — including highly privileged roles like `realm-admin` — to a client’s scope mapping, even though their permissions should restrict them.
Once the privileged role is injected into the client’s scope mapping, any user who subsequently authenticates and accesses that modified client will have the injected role projected into their authentication token. This effectively elevates the privileges of that user, granting them unauthorized access and capabilities within the Keycloak realm. The attack requires network access, high privileges (but limited), high attack complexity, and user interaction.
DailyCVE Form:
Platform: ……. Red Hat Build of Keycloak
Version: …….. 26.2.0 through 26.2.5
Vulnerability :…… Incorrect Privilege Assignment (CWE-266)
Severity: ……. 7.3 HIGH (CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N)
date: ………. 2026-05-28 (published)
Prediction: ……. 2026-06-15 (estimated patch availability)
What Undercode Say:
Analytics from Security Feeds:
- CVSS v3.1 Base Score: 7.3 (HIGH)
- CVSS v3.1 Vector: AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N
- Exploit Price Estimate: USD $0–$5k
- Attack Vector: NETWORK
- Privileges Required: HIGH
- User Interaction: REQUIRED
- Scope: CHANGED
- CWE: CWE-266 Incorrect Privilege Assignment
- MITRE ATT&CK: T1068 (Privilege Escalation)
- Advisory References: RHSA-2025:12015, RHSA-2025:12016
Vulnerable Code Context (Admin REST API):
The flaw resides in the missing privilege boundary check within the scope mapping endpoints. The following pseudo-code illustrates the missing validation:
// Endpoint: /admin/realms/{realm}/clients/{client-id}/scope-mappings/roles/realm
// Vulnerable implementation (missing requireMapClientScope check)
@PUT
@Path("/realm")
public Response addRealmRolesToClientScope(...) {
// Missing: requireMapClientScope(client, role) per role
// Directly adds the realm role to client's scope mapping
clientScopeMapping.addRealmRoles(roles);
return Response.ok().build();
}
Fixed Implementation (Reference from GHSA-27gp-8389-hm4w):
The fix, applied in versions 26.2.6 and 26.3.0, adds the necessary authorization checks to ensure the administrator has the required `map-client-scope` permission for each role being assigned.
// Patched implementation
@PUT
@Path("/realm")
public Response addRealmRolesToClientScope(...) {
for (RoleRepresentation role : roles) {
// Correct authorization check per role
requireMapClientScope(client, role);
}
clientScopeMapping.addRealmRoles(roles);
return Response.ok().build();
}
Exploit:
An attacker with limited client management permissions can exploit this vulnerability by:
1. Identifying a target client within the realm.
- Crafting a `PUT` request to the admin REST API endpoint for adding realm roles to the client’s scope mapping:
PUT /admin/realms/{realm}/clients/{client-id}/scope-mappings/roles/realm - Including in the request body the desired privileged realm role (e.g.,
realm-admin):[ { "id": "realm-admin-role-id", "name": "realm-admin" } ] - The server, lacking the `requireMapClientScope` check, accepts the request and adds the privileged role to the client’s scope mapping.
- When any user authenticates and accesses this client, the `realm-admin` role is injected into their access token, granting them full administrative privileges.
Protection:
- Upgrade Keycloak to a patched version: 26.2.6 or 26.3.0 (or later) immediately.
- If upgrading is not immediately possible, disable Fine-Grained Admin Permissions (FGAPv2) as a temporary mitigation, though this reduces administrative granularity.
- Audit existing client scope mappings for any unauthorized or highly privileged roles that may have been added.
- Review administrator permissions and ensure the principle of least privilege is strictly enforced.
Impact:
- Confidentiality Impact: HIGH — An attacker can gain unauthorized access to sensitive realm configuration and user data.
- Integrity Impact: HIGH — The attacker can modify realm settings, create or delete users, and alter security policies.
- Availability Impact: NONE — The vulnerability does not directly cause denial of service.
- Privilege Escalation: An attacker with limited administrative rights can escalate to full `realm-admin` privileges, completely bypassing the intended separation of administrative duties.
- Scope: Changed — The vulnerable component impacts resources beyond its security scope.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

