A flaw was found in Keycloak. A highly privileged user...
Moderate severity
Unreviewed
Published
Jun 30, 2026
to the GitHub Advisory Database
•
Updated Jun 30, 2026
Description
Published by the National Vulnerability Database
Jun 30, 2026
Published to the GitHub Advisory Database
Jun 30, 2026
Last updated
Jun 30, 2026
A flaw was found in Keycloak. A highly privileged user with
manage-clientspermission can exploit this vulnerability by injecting a hardcoded role mapper into any client. This action allows the user to bypass existing scope restrictions and inject therealm-adminrole into generated tokens, resulting in privilege escalation and full administrative access to the realm.References