Keycloak Advisory: Privilege Escalation in Admin Console (FGAPv2)
· Security · IDPTrust
Summary
Keycloak published a new security advisory: Privilege Escalation in Keycloak Admin Console (FGAPv2 Enabled).
Official source: GHSA-27gp-8389-hm4w.
Severity: Moderate
Affected package: org.keycloak:keycloak-services (Maven)
Affected versions: > 26.2.0, < 26.2.6 (only when FGAPv2 is enabled)
Patched versions: 26.2.6 and 26.3.0
What’s the issue?
A flaw in the admin permission enforcement allows a user with manage-users privileges to self-assign realm-admin when FGAPv2 is enabled in Keycloak 26.2.x.
Root cause: missing privilege boundary checks during role mapping via the Admin REST API.
Impact: a malicious limited admin could escalate to full realm administration, including realm configuration and user data access.
Who is affected?
- Deployments on Keycloak 26.2.x with FGAPv2 enabled.
- Environments on 26.2.6+ or 26.3.0 are not affected.
Our status (IDPTrust)
- All managed customers have been notified.
- Patch windows are scheduled across all environments (dev, staging, production) to move to 26.2.6 or 26.3.0 depending on compatibility.
- We are verifying FGAPv2 usage per realm and tightening admin role boundaries.
Recommended actions
- Upgrade to 26.2.6 or 26.3.0 as soon as feasible.
- If you cannot upgrade immediately:
- Disable FGAPv2 temporarily if your deployment allows it.
- Review admin user assignments; ensure no user with limited rights can edit their own role mappings.
- Restrict access to the Admin REST API and audit its usage.
- Audit recent admin role changes for suspicious self-assignments.
How to check your deployment
- Confirm your Keycloak version: Admin Console → Server Info or image tag.
- Check whether FGAPv2 is enabled in your realm/installation notes.
- Review Admin Events for role-mapping changes on admin users.
Timeline
- Advisory published: Jul 29, 2025 (by rmartinc).
- IDPTrust notification & patch scheduling: 2025-07-29.
For questions or help planning the update, contact your IDPTrust support channel.