A security vulnerability (CVE-2026-3121) has been identified in the Red Hat Keycloak server used by the Identity and Access Management (IAM) component of Service Virtualization (DevTest).

The flaw is characterized as an "Unspecified Incorrect Permission Assignment." In certain configurations, permissions are not correctly assigned to user roles or administrative endpoints. This may allow an authenticated remote attacker to potentially gain elevated privileges within the IAM environment.

• CVE-ID: CVE-2026-3121
• CVSS Score: 5.5 (Medium)
• Vulnerability Type: Remote Privilege Escalation

The vulnerability is caused by an unspecified flaw in the Keycloak permission management logic, which fails to strictly enforce role-based access controls for specific operations or resources.

Broadcom Engineering has addressed this third-party vulnerability. The fix is included in the Service Virtualization (DevTest) 10.9.1 release.

Remediation Steps:

1. Plan an upgrade of your DevTest environment to version 10.9.1.
2. The DevTest 10.9.1 release is currently scheduled for general availability by the end of April 2026.
3. Once the release is available, apply the update to the IAM component to mitigate the risk associated with CVE-2026-3121.