Privilege Escalation in Keycloak admin-ui-ext Bulk Role-Removal
CVE-2026-11986 Published on June 11, 2026
Keycloak-rest-admin-ui-ext: authorization bypass vulnerability in the admin-ui-ext bulk role-mapping-delete endpoints of keycloak
A flaw was found in the admin-ui-ext component of Keycloak, which provides extended administrative user interface capabilities. The issue occurs because certain bulk role-removal endpoints fail to perform granular permission checks when deleting role mappings. This allows a delegated administrator with limited permissions to remove highly privileged roles from other users or groups, potentially disrupting administrative access control.
Vulnerability Analysis
CVE-2026-11986 is exploitable with network access, and requires user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality, a high impact on integrity, and no impact on availability.
Timeline
Reported to Red Hat.
Made public. 3 days later.
Weakness Type
What is a forced browsing Vulnerability?
The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files. Web applications susceptible to direct request attacks often make the false assumption that such resources can only be reached through a given navigation path and so only apply authorization at certain points in the path.
CVE-2026-11986 has been classified to as a forced browsing vulnerability or weakness.
Products Associated with CVE-2026-11986
stack.watch emails you whenever new vulnerabilities are published in Red Hat Build Keycloak or Red Hat Jbosseapxp. Just hit a watch button to start following.
