FGAP v2 client scope assignment bypass via ClientResource
Summary
A flaw was found in the ClientResource component of Keycloak's admin services when Fine-Grained Admin Permissions (FGAP) v2 is enabled. This issue allows a delegated administrator, who should only have limited control over specific clients, to attach or remove hidden client scopes that they are not authorized to see or manage. As a result, an attacker could inject unauthorized data or permissions into the security tokens issued to end-users, potentially tricking other applications into granting higher levels of access than intended. The Red Hat Product Security team has assessed the severity of this vulnerability as Moderate, given that exploitation requires the attacker to already hold a delegated administrator role with specific client management permissions and knowledge of internal resource identifiers (UUIDs). Successful exploitation allows an attacker to bypass fine-grained authorization boundaries to modify the contents of tokens issued by Keycloak, potentially leading to unauthorized actions in downstream applications. The vulnerability's root cause is a missing authorization check on the referenced client scope during the assignment process in the admin REST API. Affected Red Hat products: Red Hat Build of Keycloak. Red Hat does not currently list a fixing RHSA for this CVE.
Mitigation
Mitigation steps weren't captured by the parser for this advisory — this is a parsing gap, not a statement that no fix exists. Read the vendor advisory below for the authoritative guidance.
Official advisory · medium-confidence parse· fetched 2 hours ago·verify at source
Discussion(0)
No comments yet. Share field notes, upgrade gotchas, or questions — verify against the vendor advisory before acting on community advice.
Sign in to join the discussion.