Keycloak Privilege Escalation Vulnerability in Admin Console with FGAPv2 Enabled

A privilege escalation vulnerability exists in Keycloak's identity and access management system, specifically in version 26.2.x when Fine-Grained Admin Permissions (FGAPv2) are activated. The issue arises from inadequate enforcement of administrative privileges, allowing users with the manage-users role to elevate their rights to realm-admin. This vulnerability disrupts the proper separation of administrative responsibilities, posing a security threat to the realm by enabling unauthorized access to realm configurations and user data.

Impact

Exploitation of this vulnerability allows for unauthorized elevation of privileges, enabling a user with manage-users rights to gain full administrative access within the realm.

Reproduction

To reproduce this vulnerability, an administrative user with the manage-users role must access the Keycloak admin console. Once logged in, the user can edit their own roles through the admin REST interface. By self-assigning the realm-admin role, the user can escalate their privileges and gain unauthorized access to realm management features and user information.