{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-11986","assignerOrgId":"53f830b8-0a3f-465b-8143-3b8a9948e749","state":"PUBLISHED","assignerShortName":"redhat","dateReserved":"2026-06-11T14:18:10.409Z","datePublished":"2026-06-11T16:47:11.862Z","dateUpdated":"2026-06-11T18:50:30.698Z"},"containers":{"cna":{"title":"Keycloak-rest-admin-ui-ext: authorization bypass vulnerability in the admin-ui-ext bulk role-mapping-delete endpoints of keycloak","metrics":[{"other":{"content":{"value":"Moderate","namespace":"https://access.redhat.com/security/updates/classification/"},"type":"Red Hat severity rating"}},{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":4.9,"baseSeverity":"MEDIUM","confidentialityImpact":"NONE","integrityImpact":"HIGH","privilegesRequired":"HIGH","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N","version":"3.1"},"format":"CVSS"}],"descriptions":[{"lang":"en","value":"A flaw was found in the admin-ui-ext component of Keycloak, which provides extended administrative user interface capabilities. The issue occurs because certain bulk role-removal endpoints fail to perform granular permission checks when deleting role mappings. This allows a delegated administrator with limited permissions to remove highly privileged roles from other users or groups, potentially disrupting administrative access control."}],"affected":[{"vendor":"Red Hat","product":"Red Hat Build of Keycloak","collectionURL":"https://access.redhat.com/downloads/content/package-browser/","packageName":"keycloak-rest-admin-ui-ext","defaultStatus":"affected","cpes":["cpe:/a:redhat:build_keycloak:"]},{"vendor":"Red Hat","product":"Red Hat Build of Keycloak","collectionURL":"https://access.redhat.com/downloads/content/package-browser/","packageName":"rhbk/keycloak-rhel9","defaultStatus":"affected","cpes":["cpe:/a:redhat:build_keycloak:"]},{"vendor":"Red Hat","product":"Red Hat Build of Keycloak","collectionURL":"https://access.redhat.com/downloads/content/package-browser/","packageName":"rhbk-openshift-rhel9/rhbk-openshift-rhel9","defaultStatus":"affected","cpes":["cpe:/a:redhat:build_keycloak:"]},{"vendor":"Red Hat","product":"Red Hat JBoss Enterprise Application Platform Expansion Pack","collectionURL":"https://access.redhat.com/jbossnetwork/restricted/listSoftware.html","packageName":"keycloak-rest-admin-ui-ext","defaultStatus":"unaffected","cpes":["cpe:/a:redhat:jbosseapxp"]}],"references":[{"url":"https://access.redhat.com/security/cve/CVE-2026-11986","tags":["vdb-entry","x_refsource_REDHAT"]},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2487906","name":"RHBZ#2487906","tags":["issue-tracking","x_refsource_REDHAT"]}],"datePublic":"2026-06-11T14:17:32.078Z","problemTypes":[{"descriptions":[{"cweId":"CWE-425","description":"Direct Request ('Forced Browsing')","lang":"en","type":"CWE"}]}],"x_redhatCweChain":"CWE-425: Direct Request ('Forced Browsing')","workarounds":[{"lang":"en","value":"Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}],"timeline":[{"lang":"en","time":"2026-06-08T18:22:02.000Z","value":"Reported to Red Hat."},{"lang":"en","time":"2026-06-11T14:17:32.078Z","value":"Made public."}],"credits":[{"lang":"en","value":"Red Hat would like to thank Wesley \"Alardiians\" Colquitt (Byteshyft Studios) for reporting this issue."}],"providerMetadata":{"orgId":"53f830b8-0a3f-465b-8143-3b8a9948e749","shortName":"redhat","dateUpdated":"2026-06-11T16:47:11.862Z"},"x_generator":{"engine":"cvelib 1.8.0"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-06-11T18:49:43.250186Z","id":"CVE-2026-11986","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-06-11T18:50:30.698Z"}}]}}