CVE-2026-3121

moderate-risk

Published 2026-03-26

A flaw was found in Keycloak. An administrator with `manage-clients` permission can exploit a misconfiguration where this permission is equivalent to `manage-permissions`. This allows the administrator to escalate privileges and gain control over roles, users, or other administrative functions within the realm. This privilege escalation can occur when admin permissions are enabled at the realm level.

Do I need to act?

0.03% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 6.5/10 Medium

NETWORK / LOW complexity

Affected Products (4)

Build Of Keycloak

Jboss Enterprise Application Platform

Jboss Enterprise Application Platform Expansion Pack

Single Sign-On

Affected Vendors

Redhat

References (4)

https://access.redhat.com/errata/RHSA-2026:6477

https://access.redhat.com/errata/RHSA-2026:6478

Vendor Advisory https://access.redhat.com/security/cve/CVE-2026-3121

Issue Tracking https://bugzilla.redhat.com/show_bug.cgi?id=2442277

/ 100

moderate-risk

Severity 24/34 · High

Exploitability 0/34 · Minimal

Exposure 10/34 · Low