CVE-2026-3121: Keycloak: manage-clients permission escalates to full realm admin access
(updated )
A flaw was found in Keycloak. An administrator with manage-clients permission can exploit a misconfiguration where this permission is equivalent to manage-permissions. This allows the administrator to escalate privileges and gain control over roles, users, or other administrative functions within the realm. This privilege escalation can occur when admin permissions are enabled at the realm level.
References
- access.redhat.com/errata/RHSA-2026:6477
- access.redhat.com/errata/RHSA-2026:6478
- access.redhat.com/security/cve/CVE-2026-3121
- bugzilla.redhat.com/show_bug.cgi?id=2442277
- github.com/advisories/GHSA-7xf9-4jfc-wgm4
- github.com/keycloak/keycloak
- github.com/keycloak/keycloak/commit/79ab3110a257fb8d6f1a664c916687128094ed01
- github.com/keycloak/keycloak/issues/46719
- nvd.nist.gov/vuln/detail/CVE-2026-3121
Code Behaviors & Features
Detect and mitigate CVE-2026-3121 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →