A flaw was found in Keycloak. An administrator with `manage-clients` permission can exploit a misconfiguration where this permission is equivalent to `manage-permissions`. This allows the administrator to escalate privileges and gain control over roles, users, or other administrative functions within the realm. This privilege escalation can occur when admin permissions are enabled at the realm level.
PUBLISHED5.2CWE-266
Keycloak: org.keycloak/keycloak-services: keycloak: privilege escalation via manage-clients permission
Problem type
Affected products
Red Hat
Red Hat Build of Keycloak
Red Hat JBoss Enterprise Application Platform 8
Red Hat JBoss Enterprise Application Platform Expansion Pack
Red Hat Single Sign-On 7
References
access.redhat.com
https://access.redhat.com/security/cve/CVE-2026-3121
RHBZ#2442277
https://bugzilla.redhat.com/show_bug.cgi?id=2442277
GitHub Security Advisories
GHSA-7xf9-4jfc-wgm4
A flaw was found in Keycloak. An administrator with `manage-clients` permission can exploit a...
https://github.com/advisories/GHSA-7xf9-4jfc-wgm4A flaw was found in Keycloak. An administrator with manage-clients permission can exploit a misconfiguration where this permission is equivalent to manage-permissions. This allows the administrator to escalate privileges and gain control over roles, users, or other administrative functions within the realm. This privilege escalation can occur when admin permissions are enabled at the realm level.
JSON source
https://cveawg.mitre.org/api/cve/CVE-2026-3121Click to expand
{
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"cveMetadata": {
"cveId": "CVE-2026-3121",
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"dateUpdated": "2026-03-26T19:13:26.086Z",
"dateReserved": "2026-02-24T13:09:39.644Z",
"datePublished": "2026-03-26T19:13:26.086Z",
"state": "PUBLISHED"
},
"containers": {
"cna": {
"providerMetadata": {
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat",
"dateUpdated": "2026-03-26T19:13:26.086Z"
},
"datePublic": "2026-02-24T11:11:00.000Z",
"title": "Keycloak: org.keycloak/keycloak-services: keycloak: privilege escalation via manage-clients permission",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in Keycloak. An administrator with `manage-clients` permission can exploit a misconfiguration where this permission is equivalent to `manage-permissions`. This allows the administrator to escalate privileges and gain control over roles, users, or other administrative functions within the realm. This privilege escalation can occur when admin permissions are enabled at the realm level."
}
],
"affected": [
{
"vendor": "Red Hat",
"product": "Red Hat Build of Keycloak",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"packageName": "rhbk/keycloak-rhel9",
"cpes": [
"cpe:/a:redhat:build_keycloak:"
],
"defaultStatus": "affected"
},
{
"vendor": "Red Hat",
"product": "Red Hat JBoss Enterprise Application Platform 8",
"collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
"packageName": "keycloak-services",
"cpes": [
"cpe:/a:redhat:jboss_enterprise_application_platform:8"
],
"defaultStatus": "affected"
},
{
"vendor": "Red Hat",
"product": "Red Hat JBoss Enterprise Application Platform Expansion Pack",
"collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
"packageName": "keycloak-services",
"cpes": [
"cpe:/a:redhat:jbosseapxp"
],
"defaultStatus": "affected"
},
{
"vendor": "Red Hat",
"product": "Red Hat Single Sign-On 7",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"packageName": "keycloak-services",
"cpes": [
"cpe:/a:redhat:red_hat_single_sign_on:7"
],
"defaultStatus": "unaffected"
}
],
"problemTypes": [
{
"descriptions": [
{
"lang": "en",
"description": "Incorrect Privilege Assignment",
"cweId": "CWE-266",
"type": "CWE"
}
]
}
],
"references": [
{
"url": "https://access.redhat.com/security/cve/CVE-2026-3121",
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
]
},
{
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2442277",
"name": "RHBZ#2442277",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
]
}
],
"metrics": [
{},
{
"format": "CVSS",
"cvssV3_1": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N",
"attackVector": "NETWORK",
"attackComplexity": "LOW",
"privilegesRequired": "HIGH",
"userInteraction": "NONE",
"scope": "UNCHANGED",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM"
}
}
],
"workarounds": [
{
"lang": "en",
"value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."
}
],
"timeline": [
{
"time": "2026-02-24T13:06:55.355Z",
"lang": "en",
"value": "Reported to Red Hat."
},
{
"time": "2026-02-24T11:11:00.000Z",
"lang": "en",
"value": "Made public."
}
]
}
}
}