Fedora Account System
Red Hat Associate
Red Hat Customer
A user with manage-clients permission can escalate to realm-admin by injecting a hardcoded role mapper into any client. The mapper injects realm-admin into tokens at generation time, bypassing scope restrictions. *Steps to reproduce:* 1. Create a user with only manage-clients role (no user/role/realm access) 2. As attacker, add oidc-hardcoded-role-mapper to any client with config: {"role": "realm-management.realm-admin"} 3. Authenticate through that client 4. Token is generated with realm-admin role injected (bypasses fullScopeAllowed: false) 5. Use token to call admin API — full realm-admin access confirmed