Bug 2487906 (CVE-2026-11986) - CVE-2026-11986 keycloak-rest-admin-ui-ext: Authorization Bypass vulnerability in the admin-ui-ext bulk role-mapping-delete endpoints of Keycloak
Summary: CVE-2026-11986 keycloak-rest-admin-ui-ext: Authorization Bypass vulnerability...
Keywords:
Status: NEW
Alias: CVE-2026-11986
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-06-11 14:15 UTC by OSIDB Bzimport
Modified: 2026-06-11 14:28 UTC (History)
27 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-06-11 14:15:11 UTC 
An authorization bypass vulnerability exists in the Keycloak admin-ui-ext bulk role-mapping-delete endpoints (POST /admin/realms/{realm}/ui-ext/role-mapping-delete/users/{id} and POST /admin/realms/{realm}/ui-ext/role-mapping-delete/groups/{id}). The implementation only performs a container-level authorization check (requireMapRoles) but fails to enforce the per-role authorization check (requireMapRole) required by the standard Admin REST API.
As a result, an authenticated attacker with high privileges (specifically a delegated administrator with manage-users permissions) can bypass intended restrictions to remove sensitive realm-management roles (such as manage-realm, manage-clients, or realm-admin) from other administrators. This operation is correctly blocked with a 403 Forbidden error when attempted via the standard Admin REST API.
Note You need to log in before you can comment on or make changes to this bug.