Introduction
A missing authorization check in Keycloak's Fine-Grained Admin Permissions v2 (FGAPv2) feature allows a delegated administrator with limited client management permissions to inject arbitrary realm roles, including realm-admin, into a client's scope mapping, effectively poisoning the authentication tokens issued to downstream users. This is the second privilege escalation vulnerability discovered in the FGAPv2 feature since its introduction in Keycloak 26.2.0 just one year ago, raising questions about the maturity of the permission enforcement model in one of the most widely deployed open source IAM platforms.
Keycloak is an open source identity and access management solution providing single sign on, social login, user federation, and standards based authentication for modern applications. Commercially distributed by Red Hat (an IBM subsidiary) as the "Red Hat build of Keycloak," it serves as the identity backbone for enterprise environments across the $22+ billion IAM market. With 114 recorded CVEs according to OpenCVE, Keycloak represents a significant and persistent attack surface for organizations relying on it for centralized authentication.
Technical Information
Root Cause
CVE-2026-9795 resides in the Keycloak admin REST API, specifically within the org.keycloak.services.resources.admin component. The ScopeMappedResource and ScopeMappedClientResource write endpoints, which handle adding and deleting scope mappings for clients, fail to invoke the requireMapClientScope authorization check on a per-role basis. This omission means the API does not verify whether the requesting administrator holds the MAP_ROLE_CLIENT_SCOPE permission before allowing a realm role to be added to a client's scope mapping.
The vulnerability is classified under CWE-266 (Incorrect Privilege Assignment), which describes a weakness where "a product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor." In this case, the missing check creates an unintended sphere of control: any administrator with fine-grained manage permission on a single client can manipulate scope mappings to include roles they should never be able to assign.
CVSS Vector Analysis
The CVSS 3.1 vector is CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N, yielding a score of 7.3 (High).
| CVSS Metric | Value | Interpretation |
|---|---|---|
| Attack Vector | Network (AV:N) | Exploitable remotely over the network |
| Attack Complexity | High (AC:H) | Requires specific conditions: FGAPv2 enabled, limited admin access |
| Privileges Required | High (PR:H) | Attacker must be an administrator with limited manage permissions |
| User Interaction | Required (UI:R) | A privileged user must authenticate through the modified client |
| Scope | Changed (S:C) | Impact crosses security boundaries beyond the vulnerable component |
| Confidentiality | High (C:H) | Full access to realm data possible via injected roles |
| Integrity | High (I:H) | Attacker can modify realm configuration via elevated privileges |
| Availability | None (A:N) | No direct availability impact |
The Scope:Changed metric is particularly significant here. The vulnerability's impact extends from the client level boundary into the realm level boundary, meaning a small code defect in scope mapping enforcement produces a large blast radius across the entire Keycloak realm.
Attack Flow
Three conditions must converge for successful exploitation:
Step 1: FGAPv2 must be enabled. The target realm must have adminPermissionsEnabled=true. This feature was introduced in Keycloak 26.2.0 (May 2025) and provides fine-grained delegated administration capabilities.
Step 2: The attacker must hold fine-grained manage permission on at least one client. The attacker does NOT need global manage-clients permission or MAP_ROLE_CLIENT_SCOPE permission on any privileged role. A narrow, delegated permission on a single client is sufficient.
Step 3: The attacker injects a privileged role into the client's scope mapping. The attacker calls:
POST /admin/realms/{realm}/clients/{uuid}/scope-mappings/realm
with the realm-admin role (or any other highly privileged role) in the request body. Due to the missing requireMapClientScope check, the request succeeds despite the attacker lacking the necessary permissions.
Step 4 (optional): The attacker enables full scope. The attacker can set fullScopeAllowed=true on the client via:
PUT /admin/realms/{realm}/clients/{uuid}
Step 5: Token poisoning occurs. When a user who holds the targeted role (e.g., realm-admin) authenticates through the modified client, the injected role is projected into the issued authentication token. The attacker does not directly gain privileges; instead, they poison the token issuance pipeline, granting the authenticating user unintended scope within that client session.
This indirect exploitation model is what drives the User Interaction:Required metric in the CVSS vector. The attacker sets the trap, but a privileged user must walk into it by authenticating through the compromised client.
Architectural Implications
The mismatch between the narrow root cause (a missing requireMapClientScope call) and the broad impact (realm level privilege escalation via token poisoning) is characteristic of IAM platform vulnerabilities. The vulnerability effectively turns the scope mapping mechanism into a privilege injection vector, allowing a lower-privileged actor to influence the tokens issued to higher-privileged actors without directly compromising their accounts.
This is also the second documented privilege escalation in FGAPv2. CVE-2025-7784 (CVSS 7.1 High) addressed a similar admin console privilege escalation when FGAPv2 was enabled, allowing a user with limited permissions to improperly access restricted administrative functionality. The recurrence of privilege escalation flaws within the same feature suggests a systemic weakness in the permission enforcement model that warrants architectural review rather than point fixes.
Affected Systems and Versions
Based on the available information, the following configurations are affected:
- Keycloak instances with FGAPv2 enabled (
adminPermissionsEnabled=trueon the realm) - FGAPv2 was introduced in Keycloak 26.2.0 (May 2025), making versions from 26.2.0 onward potentially vulnerable when this feature is enabled
- The most recent release, Keycloak 26.6.2 (May 19, 2026), does not include a fix for CVE-2026-9795
- Red Hat build of Keycloak distributions are also affected when FGAPv2 is enabled
The vulnerability cannot be exploited if FGAPv2 is not enabled on the realm, or if no delegated administrator holds fine-grained manage permission on any client. Organizations that have not enabled FGAPv2 are not affected.
No patched version has been identified. The Red Hat Bugzilla entry's "Fixed In Version" field remains empty as of 2026-05-28.
Vendor Security History
Keycloak has accumulated 114 CVEs according to OpenCVE, reflecting a persistent attack surface in the IAM platform. Recent high severity Keycloak CVEs illustrate the breadth of vulnerability types:
| CVE ID | CVSS | Description | Date |
|---|---|---|---|
| CVE-2026-7571 | 7.1 High | Access token disclosure and implicit flow bypass via forged client data | May 2026 |
| CVE-2026-7507 | N/A | Session fixation in login actions endpoints | May 2026 |
| CVE-2026-4366 | N/A | Blind Server Side Request Forgery (SSRF) via HTTP redirect handling | Apr 2026 |
| CVE-2026-4634 | N/A | Application level DoS via scope parameter | 2026 |
| CVE-2025-7784 | 7.1 High | Privilege escalation in Keycloak admin console (FGAPv2 enabled) | 2026 |
| CVE-2026-9795 | 7.3 High | Privilege escalation via improper scope mapping enforcement (FGAPv2) | May 2026 |
The FGAPv2 feature specifically has produced two privilege escalation CVEs (CVE-2025-7784 and CVE-2026-9795) within approximately one year of its introduction. This pattern suggests the feature's permission enforcement model has not yet reached maturity. Organizations should treat FGAPv2 as carrying elevated risk until a sustained period without new privilege escalation findings is observed.
Red Hat's security response process, coordinated through [email protected] and the Red Hat Bugzilla system, has been consistent in acknowledging and tracking these issues. Recent advisories include RHSA-2026:19596 (Red Hat build of Keycloak 26.4.12) and RHSA-2026:6478, though neither addresses CVE-2026-9795.
No recent Keycloak CVEs have been observed as actively exploited in the wild, and none appear on the CISA Known Exploited Vulnerabilities catalog.
References
- NVD: CVE-2026-9795
- Red Hat Security CVE Page: CVE-2026-9795
- Red Hat Bugzilla: Bug 2482462
- GitHub Security Advisory GHSA-27gp-8389-hm4w: CVE-2025-7784 FGAPv2 Privilege Escalation
- NVD: CVE-2025-7784
- Red Hat Bugzilla: Bug 2381861 (CVE-2025-7784)
- Keycloak Blog: Achieving Fine-Grained Admin Permissions (FGAPv2)
- CWE-266: Incorrect Privilege Assignment
- Keycloak 26.6.2 Release Notes
- OpenCVE: Keycloak CVEs
- Keycloak GitHub Releases
- Keycloak Server Administration Guide
- RHSA-2026:19596 Security Advisory
- RHSA-2026:6478 Security Advisory
- Mondoo: 2026 State of Vulnerabilities Report



