CVE-2026-3121
Published: 26 March 2026
Summary
CVE-2026-3121 is a medium-severity Incorrect Privilege Assignment (CWE-266) vulnerability in Redhat Build Of Keycloak. Its CVSS base score is 6.5 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 1.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Least privilege directly counters the incorrect privilege assignment by ensuring manage-clients does not grant unintended manage-permissions equivalent access.
Access enforcement mandates the system correctly implements and distinguishes between permissions like manage-clients and manage-permissions to block escalation.
Account management requires reviewing and assigning only necessary privileges to administrators, mitigating over-privileging in Keycloak realms.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes a privilege escalation vulnerability in Keycloak stemming from incorrect privilege assignment (CWE-266), where limited admin permissions are treated as full manage-permissions. This directly enables adversaries to exploit the flaw for unauthorized elevation to control roles, users, and realm admin functions (T1068: Exploitation for Privilege Escalation).
NVD Description
A flaw was found in Keycloak. An administrator with `manage-clients` permission can exploit a misconfiguration where this permission is equivalent to `manage-permissions`. This allows the administrator to escalate privileges and gain control over roles, users, or other administrative functions within…
more
the realm. This privilege escalation can occur when admin permissions are enabled at the realm level.
Deeper analysisAI
CVE-2026-3121 is a privilege escalation vulnerability in Keycloak, published on 2026-03-26. The flaw arises from a misconfiguration where an administrator with the `manage-clients` permission is treated as equivalent to having `manage-permissions` when admin permissions are enabled at the realm level. This allows the administrator to escalate privileges and gain control over roles, users, or other administrative functions within the realm. The vulnerability has a CVSS v3.1 base score of 6.5 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N) and is associated with CWE-266: Incorrect Privilege Assignment.
The attack requires high privileges (PR:H), specifically an authenticated administrator with `manage-clients` permission in a Keycloak realm where admin permissions are enabled. Exploitation occurs over the network with low complexity and no user interaction, enabling the attacker to achieve high confidentiality and integrity impacts by escalating to broader administrative controls, such as managing roles, users, and other realm functions.
Red Hat has issued security errata RHSA-2026:6477 and RHSA-2026:6478 to address this issue in affected Keycloak versions. Further details on the vulnerability, including mitigation and patching instructions, are available on the Red Hat CVE page at https://access.redhat.com/security/cve/CVE-2026-3121 and the associated Bugzilla entry at https://bugzilla.redhat.com/show_bug.cgi?id=2442277.
Details
- CWE(s)