Medium severity6.5NVD Advisory· Published Mar 26, 2026· Updated Apr 2, 2026
CVE-2026-3121
CVE-2026-3121
Description
A flaw was found in Keycloak. An administrator with manage-clients permission can exploit a misconfiguration where this permission is equivalent to manage-permissions. This allows the administrator to escalate privileges and gain control over roles, users, or other administrative functions within the realm. This privilege escalation can occur when admin permissions are enabled at the realm level.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.keycloak:keycloak-servicesMaven | < 26.5.6 | 26.5.6 |
Affected products
5- cpe:2.3:a:redhat:build_of_keycloak:-:*:*:*:-:*:*:*
- cpe:2.3:a:redhat:jboss_enterprise_application_platform:8.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:jboss_enterprise_application_platform_expansion_pack:-:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:single_sign-on:7.0:*:*:*:*:*:*:*
Patches
Vulnerability mechanics
References
8- access.redhat.com/security/cve/CVE-2026-3121nvdVendor AdvisoryWEB
- bugzilla.redhat.com/show_bug.cginvdIssue TrackingVendor AdvisoryWEB
- github.com/advisories/GHSA-7xf9-4jfc-wgm4ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-3121ghsaADVISORY
- access.redhat.com/errata/RHSA-2026:6477nvdWEB
- access.redhat.com/errata/RHSA-2026:6478nvdWEB
- github.com/keycloak/keycloak/commit/79ab3110a257fb8d6f1a664c916687128094ed01ghsaWEB
- github.com/keycloak/keycloak/issues/46719ghsaWEB
News mentions
0No linked articles in our index yet.