GHSA-p39j-8498-pcjwMediumCVSS 5.4

A flaw was found in the ClientResource component of Keycloak's admin services when Fine-Grained...

Published
July 3, 2026
Last Modified
July 3, 2026

🔗 CVE IDs covered (1)

📋 Description

A flaw was found in the ClientResource component of Keycloak's admin services when Fine-Grained Admin Permissions (FGAP) v2 is enabled. This issue allows a delegated administrator, who should only have limited control over specific clients, to attach or remove hidden client scopes that they are not authorized to see or manage. As a result, an attacker could inject unauthorized data or permissions into the security tokens issued to end-users, potentially tricking other applications into granting higher levels of access than intended.

🔗 References (4)