Keycloak Privilege Escalation Vulnerability in Fine-Grained Admin Permissions

A privilege escalation vulnerability exists in Keycloak's Fine-Grained Admin Permissions (FGAPv2) feature. An administrator with limited client management rights can exploit this flaw to assign any realm role, including highly privileged ones, to a client's scope mapping. This action bypasses established security controls, allowing the assigned role to be included in a user's authentication token when they access the altered client. Consequently, this could result in unauthorized privilege escalation within the Keycloak realm.

Impact

Exploitation of this vulnerability allows for unauthorized privilege escalation by injecting arbitrary realm roles into a client's scope mapping, which are then projected into the authentication tokens of users accessing the modified client.

Reproduction

To reproduce this vulnerability, first ensure that FGAPv2 is enabled on the Keycloak realm. Then, create a delegated admin with fine-grained management permissions on a single client, without global client management rights or the MAP_ROLE_CLIENT_SCOPE permission on any privileged roles. As this delegated admin, send a request to add the realm-admin role to the client's scope mapping. This request will succeed, bypassing the necessary permission checks. Afterward, a user with the realm-admin role can authenticate through the modified client, and the injected role will be included in their authentication token.

Remediation

To address this vulnerability, disable the Fine-Grained Admin Permissions (FGAPv2) feature in Keycloak, unless it is absolutely necessary. This can usually be done by setting 'adminPermissionsEnabled' to 'false' in the realm configuration. After making this change, a restart or reload of the Keycloak service may be required for the changes to take effect.