Vulnerabilities ›

CVE-2026-9795

High

CWE-266 — Weakness Type

                    Published: May 28, 2026                      ·  Modified: Jun 3, 2026                      ·  Source: NVD                

CVSS v3

7.3

🔗 NVD Official

📄 Description (English)

A flaw was found in Keycloak's Fine-Grained Admin Permissions (FGAPv2) feature. An administrator with limited client management permissions can exploit this vulnerability to assign any realm role, including highly privileged roles, to a client's scope mapping. This bypasses intended security controls, allowing the injected role to be projected into a user's authentication token when they access the modified client. This could lead to unauthorized privilege escalation within the Keycloak realm.

🤖 AI Executive Summary

CVE-2026-9795 is a privilege escalation vulnerability in Keycloak's Fine-Grained Admin Permissions feature that allows limited administrators to inject arbitrary realm roles into client scope mappings, bypassing security controls. This flaw enables unauthorized privilege escalation by projecting elevated roles into user authentication tokens. With a CVSS score of 7.3 and no patch currently available, this poses a significant risk to organizations using Keycloak for identity and access management.

📄 Description (Arabic)

🤖 AI Intelligence Analysis Analyzed: Jun 2, 2026 01:18

🇸🇦 Saudi Arabia Impact Assessment

This vulnerability poses significant risk to Saudi organizations using Keycloak for identity management, particularly: (1) Banking sector and SAMA-regulated institutions relying on Keycloak for customer and employee authentication; (2) Government agencies and NCA-supervised entities using Keycloak for citizen services and internal access control; (3) Healthcare providers managing patient data access through Keycloak; (4) Energy sector (ARAMCO and subsidiaries) using Keycloak for operational technology access; (5) Telecom operators (STC, Mobily, Zain) managing subscriber authentication. The privilege escalation capability could enable unauthorized access to sensitive financial data, government systems, patient records, and critical infrastructure controls.

🏢 Affected Saudi Sectors

Banking and Financial Services Government and Public Administration Healthcare and Medical Services Energy and Utilities Telecommunications Insurance E-commerce and Retail

🎯 MITRE ATT&CK Techniques

T1548 - Abuse Elevation Control Mechanism T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control T1078 - Valid Accounts T1078.002 - Valid Accounts: Domain Accounts T1098 - Account Manipulation T1098.003 - Account Manipulation: Additional Cloud Roles T1556 - Modify Authentication Process T1556.006 - Modify Authentication Process: Multi-Factor Authentication

⚖️ Saudi Risk Score (AI)

7.8

/ 10.0

🔧 Remediation Steps (English)

Immediate Actions:

1. Audit all Keycloak administrator accounts with client management permissions to identify potential unauthorized role assignments

2. Review client scope mappings for any suspicious or unexpected realm role assignments, particularly privileged roles

3. Implement enhanced logging and monitoring of Fine-Grained Admin Permissions (FGAPv2) operations

4. Restrict client management permissions to only essential administrators and implement principle of least privilege

Compensating Controls (until patch available):

5. Disable FGAPv2 feature if not actively required; use traditional admin role-based access control instead

6. Implement network-level access controls to limit who can access Keycloak admin console

7. Enable multi-factor authentication (MFA) for all Keycloak administrators

8. Implement real-time alerting for any role assignment changes to client scope mappings

9. Conduct regular audits of token contents to detect injected roles

Detection Rules:

10. Monitor Keycloak audit logs for: scope_mapping_update events, role_assignment events with FGAPv2 context, and any assignments of privileged roles (realm-admin, admin, etc.) to client scopes

11. Alert on any administrator with limited permissions performing scope mapping modifications

12. Track authentication tokens for unexpected realm roles in JWT claims

Patching:

13. Subscribe to Keycloak security advisories and apply patches immediately upon release

14. Test patches in non-production environment before deployment

🔧 خطوات المعالجة (العربية)

الإجراءات الفورية:

1. تدقيق جميع حسابات مسؤولي Keycloak التي تتمتع بأذونات إدارة العميل لتحديد تعيينات الأدوار غير المصرح بها المحتملة

2. مراجعة تعيينات نطاق العميل للبحث عن أي تعيينات أدوار مجال مريبة أو غير متوقعة، خاصة الأدوار المميزة

3. تنفيذ تسجيل ومراقبة محسّنة لعمليات الأذونات الإدارية الدقيقة (FGAPv2)

4. تقييد أذونات إدارة العميل للمسؤولين الأساسيين فقط وتنفيذ مبدأ أقل امتياز

عناصر التحكم التعويضية (حتى توفر التصحيح):

5. تعطيل ميزة FGAPv2 إذا لم تكن مطلوبة بنشاط؛ استخدم التحكم في الوصول التقليدي القائم على دور المسؤول بدلاً من ذلك

6. تنفيذ عناصر التحكم في الوصول على مستوى الشبكة لتحديد من يمكنه الوصول إلى وحدة تحكم مسؤول Keycloak

7. تفعيل المصادقة متعددة العوامل (MFA) لجميع مسؤولي Keycloak

8. تنفيذ التنبيهات في الوقت الفعلي لأي تغييرات في تعيين الأدوار لتعيينات نطاق العميل

9. إجراء عمليات تدقيق منتظمة لمحتويات الرموز للكشف عن الأدوار المحقونة

قواعد الكشف:

10. مراقبة سجلات تدقيق Keycloak للبحث عن: أحداث scope_mapping_update، أحداث role_assignment مع سياق FGAPv2، وأي تعيينات للأدوار المميزة (realm-admin، admin، إلخ) لنطاقات العميل

11. التنبيه على أي مسؤول بأذونات محدودة يقوم بتعديلات تعيين النطاق

12. تتبع رموز المصادقة للأدوار غير المتوقعة في مطالبات JWT

التصحيح:

13. الاشتراك في استشارات أمان Keycloak وتطبيق التصحيحات فوراً عند الإصدار

14. اختبار التصحيحات في بيئة غير الإنتاج قبل النشر

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

ECC 2024 A.9.2.1 - User access rights management and principle of least privilege ECC 2024 A.9.4.3 - Review of user access rights and privilege management ECC 2024 A.8.2.1 - Information security roles and responsibilities ECC 2024 A.12.4.1 - Event logging and monitoring of administrative actions

🔵 SAMA CSF

SAMA CSF ID.AM-1 - Asset Management and inventory of identity systems SAMA CSF PR.AC-1 - Access control policies and procedures SAMA CSF PR.AC-4 - Access rights and privilege management SAMA CSF DE.CM-1 - Detection and monitoring of unauthorized access attempts

🟡 ISO 27001:2022

ISO 27001:2022 A.5.3 - Segregation of duties ISO 27001:2022 A.8.2 - Privileged access rights management ISO 27001:2022 A.8.3 - Information access restriction ISO 27001:2022 A.12.4.1 - Event logging and monitoring

🟣 PCI DSS v4.0.1

PCI DSS 7.1 - Limit access to system components by business need to know PCI DSS 7.2 - Establish an access control system for IT assets PCI DSS 8.2 - Ensure proper user identity management PCI DSS 10.2 - Implement automated audit trails for access to cardholder data

🔗 References & Sources 2

🔗

https://access.redhat.com/security/cve/CVE-2026-9795

secalert@redhat.com

🔗

https://bugzilla.redhat.com/show_bug.cgi?id=2482462

secalert@redhat.com

📊 CVSS Score

7.3

/ 10.0 — High

📊 CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N

Attack VectorN — None / Network

Attack ComplexityH — High

Privileges RequiredH — High

User InteractionR — Required

ScopeC — Changed

ConfidentialityH — High

IntegrityH — High

AvailabilityN — None / Network

📋 Quick Facts

Severity High

CVSS Score7.3

CWECWE-266

EPSS0.03%

Exploit No

Patch ✗ No

Published 2026-05-28

Source Feed nvd

🇸🇦 Saudi Risk Score

7.8

/ 10.0 — Saudi Risk

Priority: HIGH

🏷️ Tags

CWE-266

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

CVE-2026-9795

Introduce Yourself

Sign In Required