A flaw was found in Keycloak's Fine-Grained Admin Permissions (FGAPv2) feature. An administrator with limited client management permissions can exploit this vulnerability to assign any realm role, including highly privileged roles, to a client's scope mapping. This bypasses intended security controls, allowing the injected role to be projected into a user's authentication token when they access the modified client. This could lead to unauthorized privilege escalation within the Keycloak realm.
To mitigate this issue, disable the Fine-Grained Admin Permissions (FGAPv2) feature in Keycloak if it is not strictly required. This can typically be done by setting adminPermissionsEnabled to false in the realm configuration. Disabling FGAPv2 will prevent the exploitation of this flaw by removing the vulnerable functionality. However, this may impact administrative delegation capabilities within Keycloak. A restart or reload of the Keycloak service may be required for the changes to take effect.