CVE-2026-3121 | THREATINT

Description

A flaw was found in Keycloak. An administrator with `manage-clients` permission can exploit a misconfiguration where this permission is equivalent to `manage-permissions`. This allows the administrator to escalate privileges and gain control over roles, users, or other administrative functions within the realm. This privilege escalation can occur when admin permissions are enabled at the realm level.

PUBLISHED Reserved 2026-02-24 | Published 2026-03-26 | Updated 2026-04-02 | Assigner redhat

MEDIUM: 6.5CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

Problem types

Incorrect Privilege Assignment

Product status

Default status

affected

26.4.11-1 (rpm) before *

unaffected

Default status

affected

26.4-14 (rpm) before *

unaffected

Default status

affected

26.4-14 (rpm) before *

unaffected

Default status

unaffected

Default status

affected

Default status

affected

Default status

unaffected

Timeline

2026-02-24:	Reported to Red Hat.
2026-02-24:	Made public.

References

access.redhat.com/errata/RHSA-2026:6477 (RHSA-2026:6477) vendor-advisory

access.redhat.com/errata/RHSA-2026:6478 (RHSA-2026:6478) vendor-advisory

access.redhat.com/security/cve/CVE-2026-3121 vdb-entry

bugzilla.redhat.com/show_bug.cgi?id=2442277 (RHBZ#2442277) issue-tracking

cve.org (CVE-2026-3121)

nvd.nist.gov (CVE-2026-3121)

Download JSON

help @ threatint.eu