CVE-2026-16106 in Keycloak
Summary
by MITRE • 07/17/2026
A flaw was found in the admin REST API of Keycloak, a solution for identity and access management. The issue occurs when a delegated administrator attempts to remove a child role from a composite role. Due to missing authorization checks, an attacker with limited administrative permissions can remove privileged roles they are not authorized to manage, leading to a loss of access for other users and administrators.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 07/17/2026
This vulnerability exists within Keycloak's administrative rest api where insufficient authorization controls permit unauthorized privilege escalation through role management operations. The flaw specifically manifests when a delegated administrator attempts to remove a child role from a composite role structure, creating a path for attackers to manipulate access controls beyond their designated permissions. This represents a critical authorization bypass that undermines the core security model of the identity and access management system.
The technical implementation issue stems from missing validation checks within the api endpoint responsible for role composition modifications. When a delegated administrator invokes the remove operation on a composite role, the system fails to verify whether the requesting user possesses sufficient privileges to modify the target role's composition. This gap allows attackers with limited administrative rights to effectively escalate their permissions by removing roles that should remain protected and accessible only to higher-privileged administrators.
The operational impact of this vulnerability extends beyond simple privilege escalation as it fundamentally compromises the integrity of access control policies within Keycloak deployments. An attacker could systematically remove critical roles from composite role structures, potentially locking out legitimate users and administrators who depend on those privileges for system access. This creates a persistent security risk where unauthorized modifications can persist across sessions and affect multiple users simultaneously.
The vulnerability aligns with CWE-285 which addresses improper authorization scenarios in software systems, specifically targeting insufficient checks or incorrect enforcement of access controls. From an attacker perspective this flaw maps to ATT&CK technique T1078 004 which involves valid accounts being used to gain additional privileges through manipulation of access control mechanisms. The security implications are particularly severe in enterprise environments where Keycloak manages authentication for multiple applications and services.
Organizations should immediately implement mitigations including enhanced role-based access controls, regular permission audits, and monitoring of administrative api calls. Configuration reviews must ensure that delegated administrators only receive the minimum necessary permissions to perform their duties. Additionally, implementing additional logging and alerting mechanisms around role composition changes will help detect unauthorized modifications. Regular security assessments and penetration testing should validate that authorization boundaries remain properly enforced throughout the system architecture.