Fedora Account System
Red Hat Associate
Red Hat Customer
An improper authorization flaw was discovered in the org.keycloak.broker component of Keycloak. The identity provider mapper endpoint fails to enforce the requireMapRole authorization check, which is standard for other role-mapping endpoints. An attacker with the manage-identity-providers permission can exploit this by: Configuring a new OIDC or SAML Identity Provider (IdP) pointing to a server they control. Adding a "Hardcoded Role" mapper to that IdP that targets a high-privilege role, such as realm-admin. Authenticating through the malicious IdP. Because the mapper does not verify if the administrator has the authority to grant the target role, the role is successfully injected into the user's session, resulting in a full privilege escalation from a delegated administrator to a realm administrator. This issue is distinct from CVE-2026-4629, as it resides in a different code path related to IdP mappers rather than client management.