CVE-2026-4629 - Vulnerability Details - OpenCVE

A flaw was found in Keycloak. A highly privileged user with `manage-clients` permission can exploit this vulnerability by injecting a hardcoded role mapper into any client. This action allows the user to bypass existing scope restrictions and inject the `realm-admin` role into generated tokens, resulting in privilege escalation and full administrative access to the realm.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

Vendors	Products
Redhat	Build Keycloak

No data.

No data.

No data.

References

Link	Providers
https://access.redhat.com/security/cve/CVE-2026-4629
https://bugzilla.redhat.com/show_bug.cgi?id=2450244

History

Tue, 30 Jun 2026 12:30:00 +0000

Type	Values Removed	Values Added
Description		A flaw was found in Keycloak. A highly privileged user with `manage-clients` permission can exploit this vulnerability by injecting a hardcoded role mapper into any client. This action allows the user to bypass existing scope restrictions and inject the `realm-admin` role into generated tokens, resulting in privilege escalation and full administrative access to the realm.
Title		Keycloak: keycloak: privilege escalation through hardcoded role mapper injection
First Time appeared		Redhat Redhat build Keycloak
Weaknesses		CWE-266
CPEs		cpe:/a:redhat:build_keycloak:
Vendors & Products		Redhat Redhat build Keycloak
References		https://access.redhat.com/security/cve/CVE-2026-4629 https://bugzilla.redhat.com/show_bug.cgi?id=2450244
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N'}`

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2026-06-30T12:00:28.631Z

Updated: 2026-06-30T12:00:28.631Z

Reserved: 2026-03-23T08:02:49.337Z

Link: CVE-2026-4629

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4629", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2026-03-23T08:02:49.337Z", "datePublished": "2026-06-30T12:00:28.631Z", "dateUpdated": "2026-06-30T12:00:28.631Z"}, "containers": {"cna": {"title": "Keycloak: keycloak: privilege escalation through hardcoded role mapper injection", "metrics": [{"other": {"content": {"value": "Moderate", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "A flaw was found in Keycloak. A highly privileged user with `manage-clients` permission can exploit this vulnerability by injecting a hardcoded role mapper into any client. This action allows the user to bypass existing scope restrictions and inject the `realm-admin` role into generated tokens, resulting in privilege escalation and full administrative access to the realm."}], "affected": [{"vendor": "Red Hat", "product": "Red Hat Build of Keycloak", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "rhbk/keycloak-rhel9", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:build_keycloak:"]}], "references": [{"url": "https://access.redhat.com/security/cve/CVE-2026-4629", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2450244", "name": "RHBZ#2450244", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "datePublic": "2026-04-20T12:34:00.000Z", "problemTypes": [{"descriptions": [{"cweId": "CWE-266", "description": "Incorrect Privilege Assignment", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-266: Incorrect Privilege Assignment", "workarounds": [{"lang": "en", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}], "timeline": [{"lang": "en", "time": "2026-03-23T08:01:10.722Z", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2026-04-20T12:34:00.000Z", "value": "Made public."}], "credits": [{"lang": "en", "value": "Red Hat would like to thank Daniel Peters (Operating Intelligence Inc.), Lior Moshe (Operating Intelligence Inc.), and Uri Rolls (Operating Intelligence Inc.) for reporting this issue."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2026-06-30T12:00:28.631Z"}, "x_generator": {"engine": "cvelib 1.8.0"}}}}