Fedora Account System
Red Hat Associate
Red Hat Customer
Summary Under FGAPv2, the ScopeMappedResource and ScopeMappedClientResource write endpoints (add and delete scope mappings) do not call requireMapClientScope per role. An admin holding only fine-grained manage on a single client can attach any realm role — including realm-admin — to that client's scope mapping, bypassing the MAP_ROLE_CLIENT_SCOPE permission boundary. When a privileged user subsequently authenticates through the modified client, the injected role is projected into the issued token. Requirements to exploit FGAPv2 enabled on the realm (adminPermissionsEnabled=true) Attacker holds fine-grained manage permission on at least one client A user holding the targeted role (e.g. realm-admin) must authenticate through the modified client *Component affected:* org.keycloak.services.resources.admin *Version affected:* All versions with FGAPv2 support *Patch available:* no *File issue trackers?* Yes *CVSS:* CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N (7.3 High) *Embargo:* no *Acknowledgement:* Andrej Tomci Github - @andrejtomci Steps to reproduce 1. Enable FGAPv2 on the realm (adminPermissionsEnabled=true) 2. Create a delegated admin with fine-grained manage on a single client — no global manage-clients, no MAP_ROLE_CLIENT_SCOPE on any privileged role 3. As the delegated admin, call POST /admin/realms/{r}/clients/{uuid}/scope-mappings/realm with realm-admin in the roles body — the request succeeds despite no MAP_ROLE_CLIENT_SCOPE permission 4. Optionally flip fullScopeAllowed=true on the client via PUT /admin/realms/{r}/clients/{uuid} 5. Authenticate as a user holding realm-admin through the modified client 6. Inspect the issued token — realm-admin is projected into the token via the injected scope mapping