4.9
CVE-2026-11986
- EPSS 0.2%
- Veröffentlicht 11.06.2026 16:47:11
- Zuletzt bearbeitet 11.06.2026 20:56:29
- Quelle secalert@redhat.com
- CVE-Watchlists
- Unerledigt
Keycloak-rest-admin-ui-ext: authorization bypass vulnerability in the admin-ui-ext bulk role-mapping-delete endpoints of keycloak
A flaw was found in the admin-ui-ext component of Keycloak, which provides extended administrative user interface capabilities. The issue occurs because certain bulk role-removal endpoints fail to perform granular permission checks when deleting role mappings. This allows a delegated administrator with limited permissions to remove highly privileged roles from other users or groups, potentially disrupting administrative access control.
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
HerstellerRed Hat
≫
Produkt
Red Hat Build of Keycloak
Default Statusaffected
HerstellerRed Hat
≫
Produkt
Red Hat Build of Keycloak
Default Statusaffected
HerstellerRed Hat
≫
Produkt
Red Hat Build of Keycloak
Default Statusaffected
HerstellerRed Hat
≫
Produkt
Red Hat JBoss Enterprise Application Platform Expansion Pack
Default Statusunaffected
VulnDex Vulnerability Enrichment
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.2% | 0.099 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| secalert@redhat.com | 4.9 | 1.2 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
|
CWE-425 Direct Request ('Forced Browsing')
The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files.
https://access.redhat.com/security/cve/CVE-2026-11986
https://bugzilla.redhat.com/show_bug.cgi?id=2487906