logo

Database

Privilege escalation In org.keycloak:keycloak-services

Description

Keycloak: manage-clients permission escalates to full realm admin access A flaw was found in Keycloak. An administrator with manage-clients permission can exploit a misconfiguration where this permission is equivalent to manage-permissions. This allows the administrator to escalate privileges and gain control over roles, users, or other administrative functions within the realm. This privilege escalation can occur when admin permissions are enabled at the realm level.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2026-31212. NVD-2026-31213. OSV-2026-31214. GCVE-2026-31215. access.redhat.com6. access.redhat.com7. ACCESS-CVE-2026-3121

References

1. https://github.com/keycloak/keycloak/issues/467192. https://github.com/keycloak/keycloak/commit/79ab3110a257fb8d6f1a664c916687128094ed013. https://bugzilla.redhat.com/show_bug.cgi?id=2442277

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.