Bug 2489140 (CVE-2026-12388) - CVE-2026-12388 keycloak-broker: Keycloak: Privilege escalation to realm administrator via improper authorization in identity provider mapper
Summary: CVE-2026-12388 keycloak-broker: Keycloak: Privilege escalation to realm admin...
Keywords:
Status: NEW
Alias: CVE-2026-12388
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-06-16 11:39 UTC by OSIDB Bzimport
Modified: 2026-06-30 11:50 UTC (History)
11 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description OSIDB Bzimport 2026-06-16 11:39:07 UTC
An improper authorization flaw was discovered in the org.keycloak.broker component of Keycloak. The identity provider mapper endpoint fails to enforce the requireMapRole authorization check, which is standard for other role-mapping endpoints.
An attacker with the manage-identity-providers permission can exploit this by:
Configuring a new OIDC or SAML Identity Provider (IdP) pointing to a server they control.

Adding a "Hardcoded Role" mapper to that IdP that targets a high-privilege role, such as realm-admin.

Authenticating through the malicious IdP.


Because the mapper does not verify if the administrator has the authority to grant the target role, the role is successfully injected into the user's session, resulting in a full privilege escalation from a delegated administrator to a realm administrator. This issue is distinct from CVE-2026-4629, as it resides in a different code path related to IdP mappers rather than client management.


Note You need to log in before you can comment on or make changes to this bug.