Bug 2487906 (CVE-2026-11986)

Summary: CVE-2026-11986 keycloak-rest-admin-ui-ext: Authorization Bypass vulnerability in the admin-ui-ext bulk role-mapping-delete endpoints of Keycloak
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aschwart, asoldano, aszczucz, bbaranow, bmaxwell, boliveir, bstansbe, dlofthou, drichtar, istudens, ivassile, iweiss, mosmerov, mposolda, msvehla, nwallace, pesilva, pjindal, pmackay, rmartinc, rstancel, security-response-team, ssilvert, sthorger, thjenkin, vdosoudi, vmuzikar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in the admin-ui-ext component of Keycloak, which provides extended administrative user interface capabilities. The issue occurs because certain bulk role-removal endpoints fail to perform granular permission checks when deleting role mappings. This allows a delegated administrator with limited permissions to remove highly privileged roles from other users or groups, potentially disrupting administrative access control.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2026-06-11 14:15:11 UTC
An authorization bypass vulnerability exists in the Keycloak admin-ui-ext bulk role-mapping-delete endpoints (POST /admin/realms/{realm}/ui-ext/role-mapping-delete/users/{id} and POST /admin/realms/{realm}/ui-ext/role-mapping-delete/groups/{id}). The implementation only performs a container-level authorization check (requireMapRoles) but fails to enforce the per-role authorization check (requireMapRole) required by the standard Admin REST API.
As a result, an authenticated attacker with high privileges (specifically a delegated administrator with manage-users permissions) can bypass intended restrictions to remove sensitive realm-management roles (such as manage-realm, manage-clients, or realm-admin) from other administrators. This operation is correctly blocked with a 403 Forbidden error when attempted via the standard Admin REST API.