CVE-2026-3121

MEDIUM

Keycloak: org.keycloak/keycloak-services: keycloak: privilege escalation via manage-clients permission

Title source: cna

Description

A flaw was found in Keycloak. An administrator with `manage-clients` permission can exploit a misconfiguration where this permission is equivalent to `manage-permissions`. This allows the administrator to escalate privileges and gain control over roles, users, or other administrative functions within the realm. This privilege escalation can occur when admin permissions are enabled at the realm level.

References (4)

[Vdb Entry, X_Refsource_Redhat] https://access.redhat.com/security/cve/CVE-2026-3121

[Issue Tracking, X_Refsource_Redhat] https://bugzilla.redhat.com/show_bug.cgi?id=2442277

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2026:6477

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2026:6478

Scores

CVSS v3 6.5

EPSS 0.0001

EPSS Percentile 1.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-266

Status published

Products (12)

org.keycloak/keycloak-services 0 - 26.5.6Maven

Red Hat/Red Hat Build of Keycloak

Red Hat/Red Hat build of Keycloak 26.4 26.4-14

Red Hat/Red Hat build of Keycloak 26.4 26.4.11-1

Red Hat/Red Hat build of Keycloak 26.4.11

Red Hat/Red Hat JBoss Enterprise Application Platform 8

Red Hat/Red Hat JBoss Enterprise Application Platform Expansion Pack

Red Hat/Red Hat Single Sign-On 7

redhat/build_of_keycloak

redhat/jboss_enterprise_application_platform 8.0.0

... and 2 more

Published Mar 26, 2026

Tracked Since Mar 27, 2026