PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-16106 Red Hat CVE debrief

A flaw was found in the admin REST API of Keycloak, a solution for identity and access management. The issue occurs when a delegated administrator attempts to remove a child role from a composite role. Due to missing authorization checks, an attacker with limited administrative permissions can remove privileged roles they are not authorized to manage, leading to a loss of access for other users and administrators. This vulnerability affects Keycloak systems, particularly those with delegated administrative permissions, and could disrupt access management if exploited.

Vendor
Red Hat
Product
Red Hat Build of Keycloak
CVSS
MEDIUM 4.9
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-17
Original CVE updated
2026-07-17
Advisory published
2026-07-17
Advisory updated
2026-07-17

Who should care

Administrators and users of Keycloak systems, especially those with delegated administrative permissions, should be aware of this vulnerability and take necessary actions to mitigate it. Keycloak operators, platform administrators, and security teams should review the vulnerability details and implement compensating controls or vendor patches as needed.

Technical summary

The vulnerability occurs in the admin REST API of Keycloak, specifically when handling composite roles. An attacker with limited administrative permissions can exploit this flaw to remove privileged roles they are not authorized to manage, potentially disrupting access for other users and administrators. This issue affects Keycloak systems with delegated administrative permissions. To verify, defenders should review Keycloak documentation and vendor advisories for accurate affected scope and mitigation strategies. The CVE record was published on 2026-07-17T17:17:14.510Z and was last modified on 2026-07-17T18:08:08.140Z.

Defensive priority

Medium priority due to the potential impact on access management and the relatively low CVSS score of 4.9. However, defenders should prioritize patching or mitigating this vulnerability to prevent potential disruptions to Keycloak systems and maintain access management integrity.

Recommended defensive actions

  • Review and update Keycloak configurations to ensure proper authorization checks are in place.
  • Limit administrative permissions to only those necessary for each role.
  • Monitor Keycloak systems for any suspicious activity related to role management.
  • Apply patches or updates provided by the vendor as soon as possible.
  • Perform a thorough review of existing roles and permissions to identify potential exposure.
  • Implement additional logging and monitoring to detect unusual role management activities.
  • Conduct regular security audits to ensure compliance with access management policies.

Evidence notes

The CVE record was published on 2026-07-17T17:17:14.510Z and was last modified on 2026-07-17T18:08:08.140Z. The NVD entry is currently Awaiting Analysis. Limited information is available about the specific affected versions or configurations of Keycloak. To verify, defenders should review Keycloak documentation and vendor advisories for accurate affected scope and mitigation strategies.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-17T17:17:14.510Z and has not been modified since then. The NVD entry is currently Awaiting Analysis.