CVE-2026-11986

Vulnerability

An authorization bypass vulnerability exists in the Keycloak admin-ui-ext component's bulk role-mapping-delete endpoints (POST /admin/realms/{realm}/ui-ext/role-mapping-delete/users/{id} and POST /admin/realms/{realm}/ui-ext/role-mapping-delete/groups/{id}) [1][2]. The implementation only performs a container-level authorization check (requireMapRoles) but fails to enforce the per-role authorization check (requireMapRole) that is required by the standard Admin REST API [2]. This allows a delegated administrator with manage-users permissions to remove sensitive roles (such as manage-realm, manage-clients, or realm-admin) from other users or groups [2]. Affected versions are not explicitly enumerated in the available references, but the flaw resides in Keycloak versions containing the admin-ui-ext component prior to the fix.

Exploitation

An authenticated attacker who holds a delegated administrator role with at least manage-users permissions can exploit this flaw [2]. The attacker sends HTTP POST requests to the vulnerable bulk role-mapping-delete endpoints, targeting other administrators or groups. The standard Admin REST API correctly returns a 403 Forbidden error for such operations, but the bulk endpoint improperly allows them due to the missing per-role check [2]. No special network position beyond standard API access is required.

Impact

Successful exploitation allows the attacker to remove highly privileged roles (e.g., manage-realm, manage-clients, realm-admin) from other administrative users or groups [2]. This can disrupt administrative access control within the Keycloak realm, potentially leading to privilege escalation by weakening the security posture of other administrators or causing denial of service for legitimate admin operations.

Mitigation

The available references do not disclose a fixed version or a specific release date for the patch [1][2]. Red Hat has acknowledged the vulnerability, and a fix is expected in a future Keycloak update. Until a patched version is available, administrators should review delegated administrator permissions and limit the use of the admin-ui-ext component if possible. The vulnerability is not currently listed on CISA's Known Exploited Vulnerabilities (KEV) catalog per the available data.