Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Network-accessible admin API; requires low-privilege delegated admin auth; only group names/IDs disclosed with no integrity or availability impact.
Primary rating from Vendor (redhat).
CVSS VectorVendor: redhat
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
A flaw was found in the default-groups REST endpoint and realm representation of Keycloak. This component is responsible for managing groups that are automatically assigned to new users within a realm. The issue allows a delegated administrator with realm-viewing permissions to see the names and identifiers of hidden default groups, even if they lack the specific permissions to view those groups. This can lead to the exposure of sensitive organizational structures or internal group names.
AnalysisAI
Keycloak's default-groups REST endpoint and realm representation expose hidden group names and identifiers to delegated administrators who hold realm-viewing permissions but lack explicit group-viewing authorization. Affected products span Red Hat Build of Keycloak, Red Hat Single Sign-On 7, Red Hat Data Grid 8, and Red Hat JBoss EAP Expansion Pack. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated account with delegated administrator privileges that include realm-viewing permissions (view-realm role or equivalent) within the target Keycloak realm. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.3 Medium score (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) accurately characterizes this as a bounded, real but non-critical issue. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A help desk operator or tenant administrator holding a delegated admin role with realm-view permissions - but intentionally denied group-view rights by a security policy - authenticates to the Keycloak admin REST API and issues a GET request to the default-groups endpoint or retrieves the realm representation object. The API response includes names and internal UUIDs of groups that were configured as hidden, revealing organizational group topology such as department names, security tiers, or regulatory classifications. … |
| Remediation | Apply the vendor-supplied patch per the Red Hat security advisory at https://access.redhat.com/security/cve/CVE-2026-16108; specific patched version numbers are not confirmed in the available input data and must be verified there. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Red Hat Build Of Keycloak
View allAuthorization bypass in the Keycloak Policy Enforcer allows any authenticated user to circumvent all enforced access con
Signature-verification bypass in Keycloak (and Red Hat's Keycloak-based products such as Red Hat Single Sign-On 7 and Re
Open redirect in Red Hat build of Keycloak permits remote attackers to send victims to attacker-controlled hosts by abus
Identity linking bypass in Red Hat build of Keycloak allows an attacker controlling a second account on the same upstrea
Authenticated users with uma_protection role in Red Hat Keycloak can bypass User-Managed Access policy validation to gai
Privilege escalation in Keycloak (Red Hat Build of Keycloak) lets an authenticated delegated admin with management right
Denial of service in Red Hat build of Keycloak allows remote unauthenticated attackers to exhaust CPU and worker threads
Denial of Service in Red Hat Build of Keycloak allows unauthenticated remote attackers to exhaust server resources by su
Session fixation in Keycloak's login-actions endpoints allows remote attackers to hijack authenticated sessions and take
Authorization code forgery in Red Hat Keycloak enables unauthenticated attackers to escalate privileges to admin-level a
Stored Cross-Site Scripting in Red Hat Build of Keycloak lets an authenticated administrator with `manage-client` permis
Open redirect in Red Hat Build of Keycloak allows authenticated attackers with control over another path on the same web
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-45223