CVE-2026-16106 in Keycloak
Riassunto
di MITRE • 17/07/2026
A flaw was found in the admin REST API of Keycloak, a solution for identity and access management. The issue occurs when a delegated administrator attempts to remove a child role from a composite role. Due to missing authorization checks, an attacker with limited administrative permissions can remove privileged roles they are not authorized to manage, leading to a loss of access for other users and administrators.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.