6.5
CVE-2026-12388
- EPSS 0.23%
- Veröffentlicht 30.06.2026 12:00:28
- Zuletzt bearbeitet 01.07.2026 20:26:45
- Quelle secalert@redhat.com
- CVE-Watchlists
- Unerledigt
Keycloak-broker: keycloak: privilege escalation to realm administrator via improper authorization in identity provider mapper
A flaw was found in the Identity Provider (IdP) mapper component of Keycloak, which is used to manage how user information from external services is mapped to Keycloak users. An administrator with limited permissions to manage identity providers can exploit this flaw by creating a "Hardcoded Role" mapper that assigns high-level administrative roles (like realm-admin) to themselves or others. This allows a restricted administrator to bypass security checks and gain full control over the entire realm.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Redhat ≫ Build Of Keycloak Version-
VulnDex Vulnerability Enrichment
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.23% | 0.141 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| secalert@redhat.com | 6.5 | 1.2 | 5.2 |
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
|
CWE-266 Incorrect Privilege Assignment
A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.
https://access.redhat.com/security/cve/CVE-2026-12388
https://bugzilla.redhat.com/show_bug.cgi?id=2489140