CVE-2026-12388 | A flaw was found in the Identity Provider (IdP) mapper compo… | CVSS 6.5 MEDIUM

Description

A flaw was found in the Identity Provider (IdP) mapper component of Keycloak, which is used to manage how user information from external services is mapped to Keycloak users. An administrator with limited permissions to manage identity providers can exploit this flaw by creating a "Hardcoded Role" mapper that assigns high-level administrative roles (like realm-admin) to themselves or others. This allows a restricted administrator to bypass security checks and gain full control over the entire realm.

Metadata

CVE ID: CVE-2026-12388
State: PUBLISHED
Assigner: redhat
Reserved: 2026-06-16 11:41 UTC
Published: 2026-06-30 12:00 UTC
Last updated: 2026-06-30 15:58 UTC
Primary CWE: CWE-266
Incorrect Privilege Assignment
Vendor / Product: Red Hat / Red Hat Build of Keycloak
Sources: cve.org · NVD

Severity & Metrics

6.5 MEDIUM CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

SSVC — CISA Coordinator

Exploitation: none
Automatable: no
Tech. Impact: total

Affected products (1)

Vendor	Product	Platform	Versions
Red Hat	Red Hat Build of Keycloak	—	—

Weakness (CWE)

CWE	Source	Description
CWE-266	cna	Incorrect Privilege Assignment

CVSS scores (1)

Score	Severity	Version	Source	Vector
6.5	MEDIUM	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

References (2)