Bug 2501739 (CVE-2026-16106) - CVE-2026-16106 keycloak-services: keycloak-services: Incorrect authorization in admin role-composite deletion allows delegated admin to remove privileged child roles
Summary: CVE-2026-16106 keycloak-services: keycloak-services: Incorrect authorization ...
Keywords:
Status: NEW
Alias: CVE-2026-16106
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-07-17 14:53 UTC by OSIDB Bzimport
Modified: 2026-07-17 14:54 UTC (History)
28 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description OSIDB Bzimport 2026-07-17 14:53:27 UTC
An incorrect authorization flaw was found in the Keycloak admin REST API endpoints responsible for removing child roles from composite roles. Specifically, the DELETE /admin/realms/{realm}/roles-by-id/{role-id}/composites and DELETE /admin/realms/{realm}/roles/{role-name}/composites endpoints only verify if the caller has manage permissions on the parent role container. They fail to enforce the per-child role check that is correctly implemented in the corresponding add operation.
To exploit this, an attacker must have a delegated admin account with manage permissions on a parent role container (such as manage-realm or Fine-Grained Admin Permissions on a specific role container). No user interaction is required. A successful attack allows a delegated administrator to remove privileged child roles (like realm-admin) from existing composites. This results in stripping those roles from all users or groups assigned to the composite, effectively degrading the privileges of other administrators or disrupting realm-wide functionality by modifying default roles.


Note You need to log in before you can comment on or make changes to this bug.