No advisories yet.
Solution
No solution given by the vendor.
Workaround
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Wed, 01 Jul 2026 15:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Tue, 30 Jun 2026 12:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | A flaw was found in Keycloak. A highly privileged user with `manage-clients` permission can exploit this vulnerability by injecting a hardcoded role mapper into any client. This action allows the user to bypass existing scope restrictions and inject the `realm-admin` role into generated tokens, resulting in privilege escalation and full administrative access to the realm. | |
| Title | Keycloak: keycloak: privilege escalation through hardcoded role mapper injection | |
| First Time appeared |
Redhat
Redhat build Keycloak |
|
| Weaknesses | CWE-266 | |
| CPEs | cpe:/a:redhat:build_keycloak: | |
| Vendors & Products |
Redhat
Redhat build Keycloak |
|
| References |
| |
| Metrics |
cvssV3_1
|
Projects
Sign in to view the affected projects.
Status: PUBLISHED
Assigner: redhat
Published:
Updated: 2026-07-01T14:26:59.489Z
Reserved: 2026-03-23T08:02:49.337Z
Link: CVE-2026-4629
Updated: 2026-07-01T14:26:44.273Z
No data.
No data.
OpenCVE Enrichment
Updated: 2026-06-30T20:45:03Z