Fedora Account System
Red Hat Associate
Red Hat Customer
An incorrect authorization flaw was found in the Keycloak admin REST API endpoints responsible for removing child roles from composite roles. Specifically, the DELETE /admin/realms/{realm}/roles-by-id/{role-id}/composites and DELETE /admin/realms/{realm}/roles/{role-name}/composites endpoints only verify if the caller has manage permissions on the parent role container. They fail to enforce the per-child role check that is correctly implemented in the corresponding add operation. To exploit this, an attacker must have a delegated admin account with manage permissions on a parent role container (such as manage-realm or Fine-Grained Admin Permissions on a specific role container). No user interaction is required. A successful attack allows a delegated administrator to remove privileged child roles (like realm-admin) from existing composites. This results in stripping those roles from all users or groups assigned to the composite, effectively degrading the privileges of other administrators or disrupting realm-wide functionality by modifying default roles.