A flaw was found in the admin-ui-ext component of Keycloak, which provides extended administrative user interface capabilities. The issue occurs because certain bulk role-removal endpoints fail to perform granular permission checks when deleting role mappings. This allows a delegated administrator with limited permissions to remove highly privileged roles from other users or groups, potentially disrupting administrative access control.
Weakness
The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files.
Potential Mitigations
Related Attack Patterns
- https://cwe.mitre.org/data/definitions/127.html
- https://cwe.mitre.org/data/definitions/143.html
- https://cwe.mitre.org/data/definitions/144.html
- https://cwe.mitre.org/data/definitions/668.html
- https://cwe.mitre.org/data/definitions/87.html