CVE-2026-9795
ADVISORY - nistSummary
A flaw was found in Keycloak's Fine-Grained Admin Permissions (FGAPv2) feature. An administrator with limited client management permissions can exploit this vulnerability to assign any realm role, including highly privileged roles, to a client's scope mapping. This bypasses intended security controls, allowing the injected role to be projected into a user's authentication token when they access the modified client. This could lead to unauthorized privilege escalation within the Keycloak realm.
EPSS Score: 0.00286 (0.203)
Common Weakness Enumeration (CWE)
ADVISORY - nist
Incorrect Privilege Assignment
ADVISORY - redhat
Incorrect Privilege Assignment
Docker
CREATED
UPDATED
ADVISORY ID
CVE-2026-9795
EXPLOITABILITY SCORE
-
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
| Package | Type | OS Name | OS Version | Affected Ranges | Fix Versions |
|---|---|---|---|---|---|
| keycloak | dhi | - | - | <26.6.4 | 26.6.4 |
Severity and metrics
No CVSS data available from this advisory.
NIST
CREATED
UPDATED
ADVISORY IDCVE-2026-9795
EXPLOITABILITY SCORE
1
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)
CVSS SCORE
7.3highRed Hat
CREATED
UPDATED
ADVISORY IDCVE-2026-9795
EXPLOITABILITY SCORE
1.0
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)