CVE-2026-11986
4.9 MEDIUMA flaw was found in the admin-ui-ext component of Keycloak, which provides extended administrative user interface capabilities
Published: 2026-06-11 · Last updated: 2026-06-11
Severity and scoring
- CVSS
- 4.9 MEDIUM
- Vector
- CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
- CWE
- CWE-425
Description
A flaw was found in the admin-ui-ext component of Keycloak, which provides extended administrative user interface capabilities. The issue occurs because certain bulk role-removal endpoints fail to perform granular permission checks when deleting role mappings. This allows a delegated administrator with limited permissions to remove highly privileged roles from other users or groups, potentially disrupting administrative access control.
Source: NVD
References
Related CVEs
Same CWE
- CVE-2026-34028 — The Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014, exposes web-accessible file paths that are not protected by an aut...
- CVE-2026-8205 — Concrete CMS 9.5.0 and below is vulnerable to authorization bypass in the Calendar Block since action_get_events does not check canView o... (5.3 MEDIUM)
- CVE-2026-7500 — When Keycloak is started with `--features-disabled=account,account-api`, the Account REST API is only partially disabled (5.4 MEDIUM)
- CVE-2025-15587 — Tinycontrol devices such as tcPDU and LAN Controllers LK3.5, LK3.9 and LK4 allow a low privileged user to read an administrator's passwor...