4.9

CVE-2026-11986

Keycloak-rest-admin-ui-ext: authorization bypass vulnerability in the admin-ui-ext bulk role-mapping-delete endpoints of keycloak

A flaw was found in the admin-ui-ext component of Keycloak, which provides extended administrative user interface capabilities. The issue occurs because certain bulk role-removal endpoints fail to perform granular permission checks when deleting role mappings. This allows a delegated administrator with limited permissions to remove highly privileged roles from other users or groups, potentially disrupting administrative access control.
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
HerstellerRed Hat
Produkt Red Hat Build of Keycloak
Default Statusaffected
HerstellerRed Hat
Produkt Red Hat Build of Keycloak
Default Statusaffected
HerstellerRed Hat
Produkt Red Hat Build of Keycloak
Default Statusaffected
HerstellerRed Hat
Produkt Red Hat JBoss Enterprise Application Platform Expansion Pack
Default Statusunaffected
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.2% 0.099
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
secalert@redhat.com 4.9 1.2 3.6
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
CWE-425 Direct Request ('Forced Browsing')

The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files.

https://access.redhat.com/security/cve/CVE-2026-11986
https://bugzilla.redhat.com/show_bug.cgi?id=2487906