Skip to main content

Red Hat Keycloak CVE-2026-9088

| EUVD-2026-34790 LOW
Insufficient Granularity of Access Control (CWE-1220)
2026-06-05 redhat GHSA-6g26-7cx5-mrrg
Information Disclosure Red Hat Build Of Keycloak
2.7
CVSS 3.1 · Vendor: redhat

Severity by source

Vendor (redhat) PRIMARY
2.7 LOW
AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N

Primary rating from Vendor (redhat) · only source for this CVE.

CVSS VectorVendor: redhat

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 05, 2026 - 08:31 vuln.today

DescriptionCVE.org

A flaw was found in org.keycloak.services. An administrator with delegated access to read group memberships and users can bypass user profile permissions by accessing the group members endpoint. This allows the administrator to view user attributes that are explicitly configured to be denied, leading to information disclosure.

AnalysisAI

Information disclosure in Red Hat Build of Keycloak's group members endpoint allows a highly privileged but delegated administrator to bypass explicitly configured user profile attribute access controls. An administrator granted only delegated read access to group memberships and user data can invoke the group members API endpoint to retrieve user attributes that have been administratively denied to that role, circumventing the intended granularity of access control. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate as delegated admin with read-group-members permission
Delivery
Identify target group containing users with sensitive attributes
Exploit
Issue HTTP request to group members API endpoint
Execution
Receive user records bypassing attribute-level deny policies
Impact
Exfiltrate restricted user profile attributes
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated administrator account (PR:H per CVSS vector) that has been specifically granted delegated permissions to read group memberships and user data within the Keycloak realm. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The real-world risk is low, consistent with the CVSS base score of 2.7. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An internal administrator who has been granted delegated 'read group memberships and users' permissions - but not full administrative access - queries the group members API endpoint for a group containing target users. The endpoint returns user records including attribute values that the user profile configuration explicitly marks as hidden or denied for that administrator's role. …
Remediation No vendor-released patch version has been confirmed from the available data at time of analysis; the Red Hat Security Advisory at https://access.redhat.com/security/cve/CVE-2026-9088 and Bugzilla entry at https://bugzilla.redhat.com/show_bug.cgi?id=2480179 should be monitored for patch availability and errata release. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-9088 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy