CVE-2026-3121

CWE-2666 documents6 sources

Severity

7.2HIGH

EPSS

0.0%

top 91.35%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat Jboss Enterprise Application Platform Redhat Single Sign-on

Timeline

PublishedMar 26

Description

A flaw was found in Keycloak. An administrator with `manage-clients` permission can exploit a misconfiguration where this permission is equivalent to `manage-permissions`. This allows the administrator to escalate privileges and gain control over roles, users, or other administrative functions within the realm. This privilege escalation can occur when admin permissions are enabled at the realm level.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:NExploitability: 1.2 | Impact: 5.2

Affected Packages3 packages

▶Mavenorg.keycloak:keycloak-services< 26.5.6

▶NVDredhat/single_sign-on7.0

▶NVDredhat/jboss_enterprise_application_platform8.0.0

🔴Vulnerability Details

GHSA

Keycloak: manage-clients permission escalates to full realm admin access↗2026-03-26

▶

OSV

Keycloak: manage-clients permission escalates to full realm admin access↗2026-03-26

▶

CVEList

Keycloak: org.keycloak/keycloak-services: keycloak: privilege escalation via manage-clients permission↗2026-03-26

▶

📋Vendor Advisories

Red Hat

keycloak: org.keycloak/keycloak-services: Keycloak: Privilege escalation via manage-clients permission↗2026-02-24

▶

🕵️Threat Intelligence

Wiz

CVE-2026-3121 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶