Skip to main content

Keycloak CVE-2026-9099

| EUVDEUVD-2026-39472 HIGH
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-06-25 redhat GHSA-rmcj-82cr-27rx
7.7
CVSS 3.1 · Vendor: redhat
Share

Severity by source

Vendor (redhat) PRIMARY
7.7 HIGH
AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:N
vuln.today AI
8.0 HIGH

Network-reachable Admin REST API (AV:N) but needs existing delegated group-admin rights and FGAPv2 (PR:H, AC:H); cross-authority realm takeover yields S:C with full C/I/A impact.

3.1 AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
4.0 AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
Red Hat
7.7 HIGH
qualitative

Primary rating from Vendor (redhat).

CVSS VectorVendor: redhat

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 25, 2026 - 17:19 vuln.today

DescriptionCVE.org

A flaw was found in Keycloak. A missing authorization check in the GroupResource.addChild() endpoint within the Admin REST API allows an authenticated user with limited administrative privileges to reparent any existing group. When Fine-Grained Admin Permissions v2 (FGAPv2) is enabled, an attacker with management rights over a single low-privilege group can reparent a highly privileged group (such as one possessing the realm-admin role) under their managed group.

Because group permissions follow a hierarchical structure, this action unauthorizedly grants the attacker management and password-reset capabilities over the members of the targeted privileged group. An attacker can exploit this to reset an administrator's password, compromise the account, and achieve a full realm takeover, leading to a complete compromise of confidentiality, integrity, and availability.

AnalysisAI

Privilege escalation in Keycloak (Red Hat Build of Keycloak) lets an authenticated delegated admin with management rights over a single low-privilege group hijack the entire realm. A missing authorization check in the Admin REST API's GroupResource.addChild() endpoint allows reparenting an arbitrary group; when Fine-Grained Admin Permissions v2 (FGAPv2) is enabled, an attacker can move a privileged group (e.g., one holding realm-admin) under a group they control, inheriting management and password-reset rights over its members. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate as limited delegated group admin
Delivery
Identify privileged target group (realm-admin)
Exploit
Call Admin REST API addChild() to reparent it
Execution
Inherit management and password-reset over its members
Persist
Reset administrator password
Impact
Take over account and full realm

Vulnerability AssessmentAI

Exploitation Exploitation requires (1) Keycloak configured with Fine-Grained Admin Permissions v2 (FGAPv2) enabled, (2) an authenticated account that already holds management (manage) rights over at least one group (a limited delegated administrator), and (3) the existence of a more privileged target group such as one possessing the realm-admin role; the attacker then invokes the Admin REST API GroupResource.addChild() endpoint to reparent that privileged group under their managed group. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals point to a high-impact-but-constrained issue. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario In a Keycloak realm using FGAPv2, an attacker holds a delegated-admin account with manage rights over only one low-privilege group (for example a tenant or team group). Using the Admin REST API addChild() call they reparent the realm-admin-bearing group under their managed group, inheriting management and password-reset authority over its members, then reset an administrator's password and take over the realm. …
Remediation No vendor-released patch version was identified at time of analysis from the provided data; consult the Red Hat advisory (https://access.redhat.com/security/cve/CVE-2026-9099) and Bugzilla 2480182 (https://bugzilla.redhat.com/show_bug.cgi?id=2480182) for the fixed build and apply it as the primary remediation once published. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 HOURS: Determine whether Fine-Grained Admin Permissions v2 is active in production Keycloak deployments and inventory all users with delegated group administration privileges. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-9800 HIGH
8.1 Jun 25

Authorization bypass in the Keycloak Policy Enforcer allows any authenticated user to circumvent all enforced access con

CVE-2026-11800 HIGH
8.1 Jun 25

Signature-verification bypass in Keycloak (and Red Hat's Keycloak-based products such as Red Hat Single Sign-On 7 and Re

CVE-2026-7504 HIGH
8.1 May 19

Open redirect in Red Hat build of Keycloak permits remote attackers to send victims to attacker-controlled hosts by abus

CVE-2026-9087 HIGH
8.1 May 20

Identity linking bypass in Red Hat build of Keycloak allows an attacker controlling a second account on the same upstrea

CVE-2026-4636 HIGH
8.1 Apr 02

Authenticated users with uma_protection role in Red Hat Keycloak can bypass User-Managed Access policy validation to gai

CVE-2026-7307 HIGH
7.5 May 19

Denial of service in Red Hat build of Keycloak allows remote unauthenticated attackers to exhaust CPU and worker threads

CVE-2026-4634 HIGH
7.5 Apr 02

Denial of Service in Red Hat Build of Keycloak allows unauthenticated remote attackers to exhaust server resources by su

CVE-2026-7507 HIGH
7.5 May 19

Session fixation in Keycloak's login-actions endpoints allows remote attackers to hijack authenticated sessions and take

CVE-2026-4282 HIGH
7.4 Apr 02

Authorization code forgery in Red Hat Keycloak enables unauthenticated attackers to escalate privileges to admin-level a

CVE-2026-9086 HIGH
7.3 Jun 25

Stored Cross-Site Scripting in Red Hat Build of Keycloak lets an authenticated administrator with `manage-client` permis

CVE-2026-3872 HIGH
7.3 Apr 02

Open redirect in Red Hat Build of Keycloak allows authenticated attackers with control over another path on the same web

CVE-2026-9795 HIGH
7.3 May 28

Privilege escalation in Keycloak's Fine-Grained Admin Permissions v2 (FGAPv2) allows an administrator with only limited

Vendor StatusVendor

Share

CVE-2026-9099 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy