CVE-2026-9795 Red Hat CVE debrief

Who should care

Organizations operating Keycloak identity and access management infrastructure with FGAPv2 enabled; security teams managing delegated administrative permissions; compliance officers responsible for least-privilege enforcement in identity systems

Technical summary

The vulnerability resides in Keycloak's Fine-Grained Admin Permissions version 2 (FGAPv2), which provides granular administrative access control. The flaw allows an administrator possessing only limited client management permissions to circumvent intended restrictions and assign any realm role to a client's scope mapping configuration. When users subsequently authenticate to the modified client, the injected role is projected into their access tokens. This represents an incorrect privilege assignment (CWE-266) where the scope mapping modification capability is not properly constrained by the administrator's own role limitations. The attack requires network access (AV:N), high attack complexity (AC:H), high privileges (PR:H), and user interaction (UI:R), with changed scope (S:C) enabling impact on confidentiality (C:H) and integrity (I:H) of the affected system.

Defensive priority

HIGH

Recommended defensive actions

• Review and restrict client management permissions for administrators using FGAPv2
• Audit client scope mappings for unauthorized role assignments
• Monitor authentication tokens for unexpected role projections
• Apply vendor patches when available from Red Hat
• Review Keycloak admin audit logs for suspicious scope mapping modifications

Evidence notes

CVE published 2026-05-28T05:16:41.003Z; modified 2026-05-28T13:44:54.327Z. Vendor attribution to Red Hat based on source references. CVSS 7.3 (HIGH). CWE-266 (Incorrect Privilege Assignment).

Official resources