Medium severity6.5NVD Advisory· Published Mar 26, 2026· Updated Apr 2, 2026
CVE-2026-3121
CVE-2026-3121
Description
A flaw was found in Keycloak. An administrator with manage-clients permission can exploit a misconfiguration where this permission is equivalent to manage-permissions. This allows the administrator to escalate privileges and gain control over roles, users, or other administrative functions within the realm. This privilege escalation can occur when admin permissions are enabled at the realm level.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.keycloak:keycloak-servicesMaven | < 26.5.6 | 26.5.6 |
Affected products
4- cpe:2.3:a:redhat:build_of_keycloak:-:*:*:*:-:*:*:*
- cpe:2.3:a:redhat:jboss_enterprise_application_platform:8.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:jboss_enterprise_application_platform_expansion_pack:-:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:single_sign-on:7.0:*:*:*:*:*:*:*
Patches
179ab3110a257Privilege escalation via manage-clients permission
1 file changed · +11 −2
services/src/main/java/org/keycloak/services/resources/admin/fgap/RealmPermissionsV2.java+11 −2 modified@@ -16,6 +16,7 @@ */ package org.keycloak.services.resources.admin.fgap; +import org.keycloak.authorization.fgap.AdminPermissionsSchema; import org.keycloak.authorization.model.ResourceServer; import org.keycloak.models.ClientModel; @@ -27,6 +28,10 @@ public RealmPermissionsV2(MgmtPermissions root) { @Override public boolean canManageAuthorizationDefault(ResourceServer resourceServer) { + // if the ResourceServer belongs to the admin-permissions client, check manage-realm + if (resourceServer != null && AdminPermissionsSchema.SCHEMA.isAdminPermissionClient(root.realm, resourceServer.getId())) { + return super.canManageRealm(); + } if (super.canManageAuthorizationDefault(resourceServer)) { return true; } @@ -36,6 +41,10 @@ public boolean canManageAuthorizationDefault(ResourceServer resourceServer) { @Override public boolean canViewAuthorizationDefault(ResourceServer resourceServer) { + // if the ResourceServer belongs to the admin-permissions client, check manage-realm or view-realm + if (resourceServer != null && AdminPermissionsSchema.SCHEMA.isAdminPermissionClient(root.realm, resourceServer.getId())) { + return super.canViewRealm(); + } if (super.canViewAuthorizationDefault(resourceServer)) { return true; } @@ -44,7 +53,7 @@ public boolean canViewAuthorizationDefault(ResourceServer resourceServer) { } private ClientModel getClient(ResourceServer resourceServer) { - ClientModel client = root.session.clients().getClientById(root.realm, resourceServer.getId()); - return client; + if (resourceServer == null) return null; + return root.session.clients().getClientById(root.realm, resourceServer.getId()); } }
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- access.redhat.com/security/cve/CVE-2026-3121nvdVendor AdvisoryWEB
- bugzilla.redhat.com/show_bug.cginvdIssue TrackingVendor AdvisoryWEB
- github.com/advisories/GHSA-7xf9-4jfc-wgm4ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-3121ghsaADVISORY
- access.redhat.com/errata/RHSA-2026:6477nvdWEB
- access.redhat.com/errata/RHSA-2026:6478nvdWEB
- github.com/keycloak/keycloak/commit/79ab3110a257fb8d6f1a664c916687128094ed01ghsaWEB
- github.com/keycloak/keycloak/issues/46719ghsaWEB
News mentions
0No linked articles in our index yet.