Is CVE-2026-4629 being exploited?

No public exploit is currently tracked.

How severe is CVE-2026-4629?

CVE-2026-4629 has a CVSS v3 severity of MEDIUM (6.5).

Back

CVE-2026-4629

Description

A flaw was found in Keycloak. A highly privileged user with `manage-clients` permission can exploit this vulnerability by injecting a hardcoded role mapper into any client. This action allows the user to bypass existing scope restrictions and inject the `realm-admin` role into generated tokens, resulting in privilege escalation and full administrative access to the realm.