Search

Find a vulnerability

Search criteria

    214 vulnerabilities found for Red Hat Build of Keycloak by Red Hat

    CVE-2026-4629 (GCVE-0-2026-4629)

    Vulnerability from nvd – Published: 2026-06-30 12:00 – Updated: 2026-07-01 14:26
    VLAI
    Title
    Keycloak: keycloak: privilege escalation through hardcoded role mapper injection
    Summary
    A flaw was found in Keycloak. A highly privileged user with `manage-clients` permission can exploit this vulnerability by injecting a hardcoded role mapper into any client. This action allows the user to bypass existing scope restrictions and inject the `realm-admin` role into generated tokens, resulting in privilege escalation and full administrative access to the realm.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-266 - Incorrect Privilege Assignment
    Assigner
    References
    URL Tags
    https://access.redhat.com/security/cve/CVE-2026-4629 vdb-entryx_refsource_REDHAT
    https://bugzilla.redhat.com/show_bug.cgi?id=2450244 issue-trackingx_refsource_REDHAT
    Impacted products
    Vendor Product Version
    Red Hat Red Hat Build of Keycloak     cpe:/a:redhat:build_keycloak:
    Create a notification for this product.
    Date Public
    2026-04-20 12:34
    Credits
    Red Hat would like to thank Daniel Peters (Operating Intelligence Inc.), Lior Moshe (Operating Intelligence Inc.), and Uri Rolls (Operating Intelligence Inc.) for reporting this issue.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-4629",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-01T14:26:33.448859Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-01T14:26:59.489Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-rhel9",
              "product": "Red Hat Build of Keycloak",
              "vendor": "Red Hat"
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Red Hat would like to thank Daniel Peters (Operating Intelligence Inc.), Lior Moshe (Operating Intelligence Inc.), and Uri Rolls (Operating Intelligence Inc.) for reporting this issue."
            }
          ],
          "datePublic": "2026-04-20T12:34:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A flaw was found in Keycloak. A highly privileged user with `manage-clients` permission can exploit this vulnerability by injecting a hardcoded role mapper into any client. This action allows the user to bypass existing scope restrictions and inject the `realm-admin` role into generated tokens, resulting in privilege escalation and full administrative access to the realm."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "namespace": "https://access.redhat.com/security/updates/classification/",
                  "value": "Moderate"
                },
                "type": "Red Hat severity rating"
              }
            },
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N",
                "version": "3.1"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-266",
                  "description": "Incorrect Privilege Assignment",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-30T12:00:28.631Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "tags": [
                "vdb-entry",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/security/cve/CVE-2026-4629"
            },
            {
              "name": "RHBZ#2450244",
              "tags": [
                "issue-tracking",
                "x_refsource_REDHAT"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2450244"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-03-23T08:01:10.722Z",
              "value": "Reported to Red Hat."
            },
            {
              "lang": "en",
              "time": "2026-04-20T12:34:00.000Z",
              "value": "Made public."
            }
          ],
          "title": "Keycloak: keycloak: privilege escalation through hardcoded role mapper injection",
          "workarounds": [
            {
              "lang": "en",
              "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."
            }
          ],
          "x_generator": {
            "engine": "cvelib 1.8.0"
          },
          "x_redhatCweChain": "CWE-266: Incorrect Privilege Assignment"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2026-4629",
        "datePublished": "2026-06-30T12:00:28.631Z",
        "dateReserved": "2026-03-23T08:02:49.337Z",
        "dateUpdated": "2026-07-01T14:26:59.489Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-14209 (GCVE-0-2026-14209)

    Vulnerability from nvd – Published: 2026-06-30 11:48 – Updated: 2026-06-30 18:46
    VLAI
    Title
    Keycloak-admin-ui: keycloak-admin-ui: keycloak: admin ui extension brute-force-user endpoint bypasses fgapv2 user view restrictions
    Summary
    A vulnerability was discovered in Keycloak's Admin UI extension that allows certain administrative users to bypass security restrictions. When Fine-Grained Admin Permissions (FGAPv2) are enabled, an administrator who should only be able to search for users (but not view their full details) can use a specific "brute-force-user" endpoint to access a user's full profile. This includes sensitive information and security metadata. The issue occurs because the system fails to check if the administrator has the required "view" permission for that specific user when using this particular search path.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-639 - Authorization Bypass Through User-Controlled Key
    Assigner
    References
    URL Tags
    https://access.redhat.com/security/cve/CVE-2026-14209 vdb-entryx_refsource_REDHAT
    https://bugzilla.redhat.com/show_bug.cgi?id=2494837 issue-trackingx_refsource_REDHAT
    Impacted products
    Date Public
    2026-06-30 11:08
    Credits
    Red Hat would like to thank Jinyeong Yang for reporting this issue.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-14209",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-30T18:46:23.302478Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-30T18:46:34.501Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:"
              ],
              "defaultStatus": "affected",
              "packageName": "keycloak-admin-ui",
              "product": "Red Hat Build of Keycloak",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-rhel9",
              "product": "Red Hat Build of Keycloak",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk-openshift-rhel9/rhbk-openshift-rhel9",
              "product": "Red Hat Build of Keycloak",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
              "cpes": [
                "cpe:/a:redhat:jbosseapxp"
              ],
              "defaultStatus": "affected",
              "packageName": "keycloak-admin-ui",
              "product": "Red Hat JBoss Enterprise Application Platform Expansion Pack",
              "vendor": "Red Hat"
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Red Hat would like to thank Jinyeong Yang for reporting this issue."
            }
          ],
          "datePublic": "2026-06-30T11:08:07.532Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability was discovered in Keycloak\u0027s Admin UI extension that allows certain administrative users to bypass security restrictions. When Fine-Grained Admin Permissions (FGAPv2) are enabled, an administrator who should only be able to search for users (but not view their full details) can use a specific \"brute-force-user\" endpoint to access a user\u0027s full profile. This includes sensitive information and security metadata. The issue occurs because the system fails to check if the administrator has the required \"view\" permission for that specific user when using this particular search path."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "namespace": "https://access.redhat.com/security/updates/classification/",
                  "value": "Moderate"
                },
                "type": "Red Hat severity rating"
              }
            },
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-639",
                  "description": "Authorization Bypass Through User-Controlled Key",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-30T11:48:26.492Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "tags": [
                "vdb-entry",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/security/cve/CVE-2026-14209"
            },
            {
              "name": "RHBZ#2494837",
              "tags": [
                "issue-tracking",
                "x_refsource_REDHAT"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2494837"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-06-29T20:54:20.000Z",
              "value": "Reported to Red Hat."
            },
            {
              "lang": "en",
              "time": "2026-06-30T11:08:07.532Z",
              "value": "Made public."
            }
          ],
          "title": "Keycloak-admin-ui: keycloak-admin-ui: keycloak: admin ui extension brute-force-user endpoint bypasses fgapv2 user view restrictions",
          "workarounds": [
            {
              "lang": "en",
              "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."
            }
          ],
          "x_generator": {
            "engine": "cvelib 1.8.0"
          },
          "x_redhatCweChain": "CWE-639: Authorization Bypass Through User-Controlled Key"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2026-14209",
        "datePublished": "2026-06-30T11:48:26.492Z",
        "dateReserved": "2026-06-30T10:52:31.949Z",
        "dateUpdated": "2026-06-30T18:46:34.501Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-12388 (GCVE-0-2026-12388)

    Vulnerability from nvd – Published: 2026-06-30 12:00 – Updated: 2026-06-30 15:58
    VLAI
    Title
    Keycloak-broker: keycloak: privilege escalation to realm administrator via improper authorization in identity provider mapper
    Summary
    A flaw was found in the Identity Provider (IdP) mapper component of Keycloak, which is used to manage how user information from external services is mapped to Keycloak users. An administrator with limited permissions to manage identity providers can exploit this flaw by creating a "Hardcoded Role" mapper that assigns high-level administrative roles (like realm-admin) to themselves or others. This allows a restricted administrator to bypass security checks and gain full control over the entire realm.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-266 - Incorrect Privilege Assignment
    Assigner
    References
    URL Tags
    https://access.redhat.com/security/cve/CVE-2026-12388 vdb-entryx_refsource_REDHAT
    https://bugzilla.redhat.com/show_bug.cgi?id=2489140 issue-trackingx_refsource_REDHAT
    Impacted products
    Vendor Product Version
    Red Hat Red Hat Build of Keycloak     cpe:/a:redhat:build_keycloak:
    Create a notification for this product.
    Date Public
    2026-06-30 11:49
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-12388",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-30T14:18:51.123959Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-30T15:58:24.834Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-rhel9",
              "product": "Red Hat Build of Keycloak",
              "vendor": "Red Hat"
            }
          ],
          "datePublic": "2026-06-30T11:49:29.358Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A flaw was found in the Identity Provider (IdP) mapper component of Keycloak, which is used to manage how user information from external services is mapped to Keycloak users. An administrator with limited permissions to manage identity providers can exploit this flaw by creating a \"Hardcoded Role\" mapper that assigns high-level administrative roles (like realm-admin) to themselves or others. This allows a restricted administrator to bypass security checks and gain full control over the entire realm."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "namespace": "https://access.redhat.com/security/updates/classification/",
                  "value": "Moderate"
                },
                "type": "Red Hat severity rating"
              }
            },
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N",
                "version": "3.1"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-266",
                  "description": "Incorrect Privilege Assignment",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-30T12:00:28.675Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "tags": [
                "vdb-entry",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/security/cve/CVE-2026-12388"
            },
            {
              "name": "RHBZ#2489140",
              "tags": [
                "issue-tracking",
                "x_refsource_REDHAT"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2489140"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-06-10T14:45:28.000Z",
              "value": "Reported to Red Hat."
            },
            {
              "lang": "en",
              "time": "2026-06-30T11:49:29.358Z",
              "value": "Made public."
            }
          ],
          "title": "Keycloak-broker: keycloak: privilege escalation to realm administrator via improper authorization in identity provider mapper",
          "workarounds": [
            {
              "lang": "en",
              "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."
            }
          ],
          "x_generator": {
            "engine": "cvelib 1.8.0"
          },
          "x_redhatCweChain": "CWE-266: Incorrect Privilege Assignment"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2026-12388",
        "datePublished": "2026-06-30T12:00:28.675Z",
        "dateReserved": "2026-06-16T11:41:17.075Z",
        "dateUpdated": "2026-06-30T15:58:24.834Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-11800 (GCVE-0-2026-11800)

    Vulnerability from nvd – Published: 2026-06-25 20:57 – Updated: 2026-06-30 12:06
    VLAI
    Title
    Org.keycloak:keycloak-services: keycloak: authentication bypass via jwt algorithm confusion
    Summary
    A flaw was found in Keycloak. This JWT algorithm confusion vulnerability in the JWT Authorization Grant flow allows an attacker with valid client credentials to bypass signature verification. By forging an assertion, the attacker can create unauthorized access tokens. This enables the attacker to impersonate any federated user linked to the affected Identity Provider, leading to unauthorized access and potential privilege escalation.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-347 - Improper Verification of Cryptographic Signature
    Assigner
    References
    Impacted products
    Vendor Product Version
    Red Hat Red Hat build of Keycloak 26.6 Unaffected: 26.6.4-2 , < * (rpm)
        cpe:/a:redhat:build_keycloak:26.6::el9
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 26.6 Unaffected: 26.6-8 , < * (rpm)
        cpe:/a:redhat:build_keycloak:26.6::el9
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 26.6.4     cpe:/a:redhat:build_keycloak:26.6::el9
    Create a notification for this product.
    Red Hat Red Hat Build of Keycloak     cpe:/a:redhat:build_keycloak:
    Create a notification for this product.
    Red Hat Red Hat Data Grid 8     cpe:/a:redhat:jboss_data_grid:8
    Create a notification for this product.
    Red Hat Red Hat JBoss Enterprise Application Platform Expansion Pack     cpe:/a:redhat:jbosseapxp
    Create a notification for this product.
    Red Hat Red Hat Single Sign-On 7     cpe:/a:redhat:red_hat_single_sign_on:7
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 26.6     cpe:/a:redhat:build_keycloak:26.6::el9
    Create a notification for this product.
    Date Public
    2026-05-29 00:00
    Credits
    Red Hat would like to thank Bilal Teke for reporting this issue.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-11800",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-26T13:03:46.141909Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-26T13:03:54.683Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:/a:redhat:build_keycloak:26.6::el9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat build of Keycloak 26.6",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:build_keycloak:26.6::el9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat build of Keycloak 26.6.4",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:build_keycloak:"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Build of Keycloak",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:jboss_data_grid:8"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Data Grid 8",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:jbosseapxp"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat JBoss Enterprise Application Platform Expansion Pack",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:red_hat_single_sign_on:7"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Single Sign-On 7",
                "vendor": "Red Hat"
              }
            ],
            "datePublic": "2026-05-29T00:00:00.000Z",
            "descriptions": [
              {
                "lang": "en",
                "value": "A flaw was found in Keycloak. This JWT algorithm confusion vulnerability in the JWT Authorization Grant flow allows an attacker with valid client credentials to bypass signature verification. By forging an assertion, the attacker can create unauthorized access tokens. This enables the attacker to impersonate any federated user linked to the affected Identity Provider, leading to unauthorized access and potential privilege escalation."
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "namespace": "https://access.redhat.com/security/updates/classification/",
                    "value": "Important"
                  },
                  "type": "Red Hat severity rating"
                }
              },
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 8.1,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "LOW",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
                  "version": "3.1"
                },
                "format": "CVSS"
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-347",
                    "description": "Improper Verification of Cryptographic Signature",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-30T12:06:54.719Z",
              "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
              "shortName": "redhat-SADP"
            },
            "references": [
              {
                "tags": [
                  "vdb-entry",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/security/cve/CVE-2026-11800"
              },
              {
                "name": "RHBZ#2487006",
                "tags": [
                  "issue-tracking",
                  "x_refsource_REDHAT"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2487006"
              },
              {
                "tags": [
                  "x_sadp-csaf-vex"
                ],
                "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-11800.json"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:30084"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:30083"
              }
            ],
            "solutions": [
              {
                "lang": "en",
                "value": "RHSA-2026:30084: Red Hat build of Keycloak 26.6"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:30083: Red Hat build of Keycloak 26.6.4"
              }
            ],
            "timeline": [
              {
                "lang": "en",
                "time": "2026-06-09T05:06:35.697Z",
                "value": "Reported to Red Hat."
              },
              {
                "lang": "en",
                "time": "2026-05-29T00:00:00.000Z",
                "value": "Made public."
              }
            ],
            "title": "org.keycloak:keycloak-services: Keycloak: Authentication bypass via JWT algorithm confusion",
            "x_adpType": "supplier",
            "x_generator": {
              "engine": "sadp-cli 1.0.0"
            }
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.6::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-operator-bundle",
              "product": "Red Hat build of Keycloak 26.6",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "26.6.4-2",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.6::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-rhel9",
              "product": "Red Hat build of Keycloak 26.6",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "26.6-8",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.6::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-rhel9-operator",
              "product": "Red Hat build of Keycloak 26.6",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "26.6-8",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.6::el9"
              ],
              "defaultStatus": "unaffected",
              "product": "Red Hat build of Keycloak 26.6.4",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-rhel9",
              "product": "Red Hat Build of Keycloak",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:"
              ],
              "defaultStatus": "unaffected",
              "packageName": "rhbk-openshift-rhel9/rhbk-openshift-rhel9",
              "product": "Red Hat Build of Keycloak",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:jboss_data_grid:8"
              ],
              "defaultStatus": "unaffected",
              "packageName": "keycloak-services",
              "product": "Red Hat Data Grid 8",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
              "cpes": [
                "cpe:/a:redhat:jbosseapxp"
              ],
              "defaultStatus": "unaffected",
              "packageName": "keycloak-services",
              "product": "Red Hat JBoss Enterprise Application Platform Expansion Pack",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:red_hat_single_sign_on:7"
              ],
              "defaultStatus": "unaffected",
              "packageName": "keycloak-services",
              "product": "Red Hat Single Sign-On 7",
              "vendor": "Red Hat"
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Red Hat would like to thank Bilal Teke for reporting this issue."
            }
          ],
          "datePublic": "2026-05-29T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A flaw was found in Keycloak. This JWT algorithm confusion vulnerability in the JWT Authorization Grant flow allows an attacker with valid client credentials to bypass signature verification. By forging an assertion, the attacker can create unauthorized access tokens. This enables the attacker to impersonate any federated user linked to the affected Identity Provider, leading to unauthorized access and potential privilege escalation."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "namespace": "https://access.redhat.com/security/updates/classification/",
                  "value": "Important"
                },
                "type": "Red Hat severity rating"
              }
            },
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 8.1,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
                "version": "3.1"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-347",
                  "description": "Improper Verification of Cryptographic Signature",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-25T20:57:05.276Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "name": "RHSA-2026:30083",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2026:30083"
            },
            {
              "name": "RHSA-2026:30084",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2026:30084"
            },
            {
              "tags": [
                "vdb-entry",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/security/cve/CVE-2026-11800"
            },
            {
              "name": "RHBZ#2487006",
              "tags": [
                "issue-tracking",
                "x_refsource_REDHAT"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2487006"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-06-09T05:06:35.697Z",
              "value": "Reported to Red Hat."
            },
            {
              "lang": "en",
              "time": "2026-05-29T00:00:00.000Z",
              "value": "Made public."
            }
          ],
          "title": "Org.keycloak:keycloak-services: keycloak: authentication bypass via jwt algorithm confusion",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          },
          "x_redhatCweChain": "CWE-347: Improper Verification of Cryptographic Signature"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2026-11800",
        "datePublished": "2026-06-25T20:57:05.276Z",
        "dateReserved": "2026-06-09T14:06:04.695Z",
        "dateUpdated": "2026-06-30T12:06:54.719Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-9800 (GCVE-0-2026-9800)

    Vulnerability from nvd – Published: 2026-06-25 16:16 – Updated: 2026-06-30 12:10
    VLAI
    Title
    Keycloak: keycloak policy enforcer: authorization bypass via incorrect uri comparison
    Summary
    A flaw was found in Keycloak Policy Enforcer. This vulnerability allows any authenticated user to bypass all authorization policies, including role, scope, and User-Managed Access (UMA) permission checks. By including the configured access-denied page path within a request URL, either as a path segment or a query parameter, an attacker can gain unauthorized access to protected resources.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-1025 - Comparison Using Wrong Factors
    Assigner
    References
    Impacted products
    Vendor Product Version
    Red Hat Red Hat build of Keycloak 26.4 Unaffected: 26.4.13-1 , < * (rpm)
        cpe:/a:redhat:build_keycloak:26.4::el9
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 26.4 Unaffected: 26.4-19 , < * (rpm)
        cpe:/a:redhat:build_keycloak:26.4::el9
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 26.4.13     cpe:/a:redhat:build_keycloak:26.4::el9
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 26.6 Unaffected: 26.6.4-2 , < * (rpm)
        cpe:/a:redhat:build_keycloak:26.6::el9
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 26.6 Unaffected: 26.6-8 , < * (rpm)
        cpe:/a:redhat:build_keycloak:26.6::el9
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 26.6.4     cpe:/a:redhat:build_keycloak:26.6::el9
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 26.4     cpe:/a:redhat:build_keycloak:26.4::el9
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 26.6     cpe:/a:redhat:build_keycloak:26.6::el9
    Create a notification for this product.
    Date Public
    2026-05-19 00:00
    Credits
    Red Hat would like to thank Bas Levering for reporting this issue.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-9800",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-25T17:27:58.852057Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-25T17:29:38.796Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:/a:redhat:build_keycloak:26.4::el9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat build of Keycloak 26.4",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:build_keycloak:26.6::el9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat build of Keycloak 26.6",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:build_keycloak:26.4::el9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat build of Keycloak 26.4.13",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:build_keycloak:26.6::el9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat build of Keycloak 26.6.4",
                "vendor": "Red Hat"
              }
            ],
            "datePublic": "2026-05-19T00:00:00.000Z",
            "descriptions": [
              {
                "lang": "en",
                "value": "A flaw was found in Keycloak Policy Enforcer. This vulnerability allows any authenticated user to bypass all authorization policies, including role, scope, and User-Managed Access (UMA) permission checks. By including the configured access-denied page path within a request URL, either as a path segment or a query parameter, an attacker can gain unauthorized access to protected resources."
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "namespace": "https://access.redhat.com/security/updates/classification/",
                    "value": "Important"
                  },
                  "type": "Red Hat severity rating"
                }
              },
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 8.1,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "LOW",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
                  "version": "3.1"
                },
                "format": "CVSS"
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-1025",
                    "description": "Comparison Using Wrong Factors",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-30T12:10:49.545Z",
              "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
              "shortName": "redhat-SADP"
            },
            "references": [
              {
                "tags": [
                  "vdb-entry",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/security/cve/CVE-2026-9800"
              },
              {
                "name": "RHBZ#2482472",
                "tags": [
                  "issue-tracking",
                  "x_refsource_REDHAT"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2482472"
              },
              {
                "tags": [
                  "x_sadp-csaf-vex"
                ],
                "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-9800.json"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:30050"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:30084"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:30049"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:30083"
              }
            ],
            "solutions": [
              {
                "lang": "en",
                "value": "RHSA-2026:30050: Red Hat build of Keycloak 26.4"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:30084: Red Hat build of Keycloak 26.6"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:30049: Red Hat build of Keycloak 26.4.13"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:30083: Red Hat build of Keycloak 26.6.4"
              }
            ],
            "timeline": [
              {
                "lang": "en",
                "time": "2026-05-28T03:57:56.111Z",
                "value": "Reported to Red Hat."
              },
              {
                "lang": "en",
                "time": "2026-05-19T00:00:00.000Z",
                "value": "Made public."
              }
            ],
            "title": "keycloak: Keycloak Policy Enforcer: Authorization bypass via incorrect URI comparison",
            "workarounds": [
              {
                "lang": "en",
                "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."
              }
            ],
            "x_adpType": "supplier",
            "x_generator": {
              "engine": "sadp-cli 1.0.0"
            }
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.4::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-operator-bundle",
              "product": "Red Hat build of Keycloak 26.4",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "26.4.13-1",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.4::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-rhel9",
              "product": "Red Hat build of Keycloak 26.4",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "26.4-19",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.4::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-rhel9-operator",
              "product": "Red Hat build of Keycloak 26.4",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "26.4-19",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.4::el9"
              ],
              "defaultStatus": "unaffected",
              "packageName": "rhbk/keycloak-rhel9",
              "product": "Red Hat build of Keycloak 26.4.13",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.6::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-operator-bundle",
              "product": "Red Hat build of Keycloak 26.6",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "26.6.4-2",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.6::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-rhel9",
              "product": "Red Hat build of Keycloak 26.6",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "26.6-8",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.6::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-rhel9-operator",
              "product": "Red Hat build of Keycloak 26.6",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "26.6-8",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.6::el9"
              ],
              "defaultStatus": "unaffected",
              "packageName": "rhbk/keycloak-rhel9",
              "product": "Red Hat build of Keycloak 26.6.4",
              "vendor": "Red Hat"
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Red Hat would like to thank Bas Levering for reporting this issue."
            }
          ],
          "datePublic": "2026-05-19T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A flaw was found in Keycloak Policy Enforcer. This vulnerability allows any authenticated user to bypass all authorization policies, including role, scope, and User-Managed Access (UMA) permission checks. By including the configured access-denied page path within a request URL, either as a path segment or a query parameter, an attacker can gain unauthorized access to protected resources."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "namespace": "https://access.redhat.com/security/updates/classification/",
                  "value": "Important"
                },
                "type": "Red Hat severity rating"
              }
            },
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 8.1,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
                "version": "3.1"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-1025",
                  "description": "Comparison Using Wrong Factors",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-26T06:26:58.221Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "name": "RHSA-2026:30049",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2026:30049"
            },
            {
              "name": "RHSA-2026:30050",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2026:30050"
            },
            {
              "name": "RHSA-2026:30083",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2026:30083"
            },
            {
              "name": "RHSA-2026:30084",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2026:30084"
            },
            {
              "tags": [
                "vdb-entry",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/security/cve/CVE-2026-9800"
            },
            {
              "name": "RHBZ#2482472",
              "tags": [
                "issue-tracking",
                "x_refsource_REDHAT"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2482472"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-05-28T03:57:56.111Z",
              "value": "Reported to Red Hat."
            },
            {
              "lang": "en",
              "time": "2026-05-19T00:00:00.000Z",
              "value": "Made public."
            }
          ],
          "title": "Keycloak: keycloak policy enforcer: authorization bypass via incorrect uri comparison",
          "workarounds": [
            {
              "lang": "en",
              "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."
            }
          ],
          "x_generator": {
            "engine": "cvelib 1.8.0"
          },
          "x_redhatCweChain": "CWE-1025: Comparison Using Wrong Factors"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2026-9800",
        "datePublished": "2026-06-25T16:16:27.069Z",
        "dateReserved": "2026-05-28T04:00:06.454Z",
        "dateUpdated": "2026-06-30T12:10:49.545Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-9799 (GCVE-0-2026-9799)

    Vulnerability from nvd – Published: 2026-06-25 16:17 – Updated: 2026-06-26 06:46
    VLAI
    Title
    Keycloak: keycloak: unauthorized access to resources via uma permission ticket bypass
    Summary
    A flaw was found in org.keycloak.authorization. An authenticated user with a granted User-Managed Access (UMA) permission ticket for one resource can exploit this by using a specific permission request prefix to bypass per-resource access control. This allows the user to gain unauthorized access to all resources of that type within the same resource server, even if they do not have a ticket for those specific resources. This vulnerability requires the resource server to be configured in PERMISSIVE policy enforcement mode and affects typed resources with ownerManagedAccess enabled, where no explicit policy protects the resource type. The primary consequence is unauthorized information disclosure or modification of resources.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-639 - Authorization Bypass Through User-Controlled Key
    Assigner
    References
    URL Tags
    https://access.redhat.com/errata/RHSA-2026:30049 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:30050 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:30083 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:30084 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/security/cve/CVE-2026-9799 vdb-entryx_refsource_REDHAT
    https://bugzilla.redhat.com/show_bug.cgi?id=2482471 issue-trackingx_refsource_REDHAT
    Impacted products
    Vendor Product Version
    Red Hat Red Hat build of Keycloak 26.4 Unaffected: 26.4.13-1 , < * (rpm)
        cpe:/a:redhat:build_keycloak:26.4::el9
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 26.4 Unaffected: 26.4-19 , < * (rpm)
        cpe:/a:redhat:build_keycloak:26.4::el9
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 26.4.13     cpe:/a:redhat:build_keycloak:26.4::el9
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 26.6 Unaffected: 26.6.4-2 , < * (rpm)
        cpe:/a:redhat:build_keycloak:26.6::el9
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 26.6 Unaffected: 26.6-8 , < * (rpm)
        cpe:/a:redhat:build_keycloak:26.6::el9
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 26.6.4     cpe:/a:redhat:build_keycloak:26.6::el9
    Create a notification for this product.
    Date Public
    2026-05-19 12:34
    Credits
    Red Hat would like to thank Omaroo Baniessa for reporting this issue.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-9799",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-26T02:06:38.303071Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-26T02:06:55.475Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.4::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-operator-bundle",
              "product": "Red Hat build of Keycloak 26.4",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "26.4.13-1",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.4::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-rhel9",
              "product": "Red Hat build of Keycloak 26.4",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "26.4-19",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.4::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-rhel9-operator",
              "product": "Red Hat build of Keycloak 26.4",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "26.4-19",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.4::el9"
              ],
              "defaultStatus": "unaffected",
              "packageName": "rhbk/keycloak-rhel9",
              "product": "Red Hat build of Keycloak 26.4.13",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.6::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-operator-bundle",
              "product": "Red Hat build of Keycloak 26.6",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "26.6.4-2",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.6::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-rhel9",
              "product": "Red Hat build of Keycloak 26.6",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "26.6-8",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.6::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-rhel9-operator",
              "product": "Red Hat build of Keycloak 26.6",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "26.6-8",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.6::el9"
              ],
              "defaultStatus": "unaffected",
              "packageName": "rhbk/keycloak-rhel9",
              "product": "Red Hat build of Keycloak 26.6.4",
              "vendor": "Red Hat"
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Red Hat would like to thank Omaroo Baniessa for reporting this issue."
            }
          ],
          "datePublic": "2026-05-19T12:34:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A flaw was found in org.keycloak.authorization. An authenticated user with a granted User-Managed Access (UMA) permission ticket for one resource can exploit this by using a specific permission request prefix to bypass per-resource access control. This allows the user to gain unauthorized access to all resources of that type within the same resource server, even if they do not have a ticket for those specific resources. This vulnerability requires the resource server to be configured in PERMISSIVE policy enforcement mode and affects typed resources with ownerManagedAccess enabled, where no explicit policy protects the resource type. The primary consequence is unauthorized information disclosure or modification of resources."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "namespace": "https://access.redhat.com/security/updates/classification/",
                  "value": "Moderate"
                },
                "type": "Red Hat severity rating"
              }
            },
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.6,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-639",
                  "description": "Authorization Bypass Through User-Controlled Key",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-26T06:46:38.312Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "name": "RHSA-2026:30049",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2026:30049"
            },
            {
              "name": "RHSA-2026:30050",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2026:30050"
            },
            {
              "name": "RHSA-2026:30083",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2026:30083"
            },
            {
              "name": "RHSA-2026:30084",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2026:30084"
            },
            {
              "tags": [
                "vdb-entry",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/security/cve/CVE-2026-9799"
            },
            {
              "name": "RHBZ#2482471",
              "tags": [
                "issue-tracking",
                "x_refsource_REDHAT"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2482471"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-05-28T03:53:15.687Z",
              "value": "Reported to Red Hat."
            },
            {
              "lang": "en",
              "time": "2026-05-19T12:34:00.000Z",
              "value": "Made public."
            }
          ],
          "title": "Keycloak: keycloak: unauthorized access to resources via uma permission ticket bypass",
          "workarounds": [
            {
              "lang": "en",
              "value": "To mitigate this issue, ensure that the Keycloak client\u0027s policy enforcement mode is set to ENFORCING instead of PERMISSIVE. The PERMISSIVE mode is a non-default configuration that enables the vulnerability. Changing this setting will prevent the unauthorized access to resources of the same type. Consult Keycloak documentation for specific instructions on configuring policy enforcement mode for your client. This change may require a restart or reload of the Keycloak service to take effect and could impact existing authorization policies if not carefully managed."
            }
          ],
          "x_generator": {
            "engine": "cvelib 1.8.0"
          },
          "x_redhatCweChain": "CWE-639: Authorization Bypass Through User-Controlled Key"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2026-9799",
        "datePublished": "2026-06-25T16:17:48.486Z",
        "dateReserved": "2026-05-28T03:53:25.960Z",
        "dateUpdated": "2026-06-26T06:46:38.312Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-9705 (GCVE-0-2026-9705)

    Vulnerability from nvd – Published: 2026-06-25 16:17 – Updated: 2026-06-29 18:10
    VLAI
    Title
    Keycloak: keycloak: attacker can re-enable and take over disabled clients via registration access token
    Summary
    A flaw was found in Keycloak's client registration service. A remote attacker, possessing a previously issued Registration Access Token (RAT), could exploit this vulnerability to re-enable a client that an administrator had explicitly disabled. This bypasses security controls, allowing the attacker to reset the client's secret and potentially regain privileged API access. The primary impact includes unauthorized information disclosure and potential integrity compromise.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-613 - Insufficient Session Expiration
    Assigner
    References
    URL Tags
    https://access.redhat.com/errata/RHSA-2026:30049 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:30050 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:30083 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:30084 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/security/cve/CVE-2026-9705 vdb-entryx_refsource_REDHAT
    https://bugzilla.redhat.com/show_bug.cgi?id=2481878 issue-trackingx_refsource_REDHAT
    Impacted products
    Vendor Product Version
    Red Hat Red Hat build of Keycloak 26.4 Unaffected: 26.4.13-1 , < * (rpm)
        cpe:/a:redhat:build_keycloak:26.4::el9
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 26.4 Unaffected: 26.4-19 , < * (rpm)
        cpe:/a:redhat:build_keycloak:26.4::el9
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 26.4.13     cpe:/a:redhat:build_keycloak:26.4::el9
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 26.6 Unaffected: 26.6.4-2 , < * (rpm)
        cpe:/a:redhat:build_keycloak:26.6::el9
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 26.6 Unaffected: 26.6-8 , < * (rpm)
        cpe:/a:redhat:build_keycloak:26.6::el9
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 26.6.4     cpe:/a:redhat:build_keycloak:26.6::el9
    Create a notification for this product.
    Date Public
    2026-06-25 15:59
    Credits
    Red Hat would like to thank Qiulin Deng for reporting this issue.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-9705",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-29T18:10:38.249303Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-29T18:10:46.870Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.4::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-operator-bundle",
              "product": "Red Hat build of Keycloak 26.4",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "26.4.13-1",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.4::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-rhel9",
              "product": "Red Hat build of Keycloak 26.4",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "26.4-19",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.4::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-rhel9-operator",
              "product": "Red Hat build of Keycloak 26.4",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "26.4-19",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.4::el9"
              ],
              "defaultStatus": "unaffected",
              "packageName": "rhbk/keycloak-rhel9",
              "product": "Red Hat build of Keycloak 26.4.13",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.6::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-operator-bundle",
              "product": "Red Hat build of Keycloak 26.6",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "26.6.4-2",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.6::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-rhel9",
              "product": "Red Hat build of Keycloak 26.6",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "26.6-8",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.6::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-rhel9-operator",
              "product": "Red Hat build of Keycloak 26.6",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "26.6-8",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.6::el9"
              ],
              "defaultStatus": "unaffected",
              "packageName": "rhbk/keycloak-rhel9",
              "product": "Red Hat build of Keycloak 26.6.4",
              "vendor": "Red Hat"
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Red Hat would like to thank Qiulin Deng for reporting this issue."
            }
          ],
          "datePublic": "2026-06-25T15:59:03.780Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A flaw was found in Keycloak\u0027s client registration service. A remote attacker, possessing a previously issued Registration Access Token (RAT), could exploit this vulnerability to re-enable a client that an administrator had explicitly disabled. This bypasses security controls, allowing the attacker to reset the client\u0027s secret and potentially regain privileged API access. The primary impact includes unauthorized information disclosure and potential integrity compromise."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "namespace": "https://access.redhat.com/security/updates/classification/",
                  "value": "Moderate"
                },
                "type": "Red Hat severity rating"
              }
            },
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-613",
                  "description": "Insufficient Session Expiration",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-26T06:46:29.107Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "name": "RHSA-2026:30049",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2026:30049"
            },
            {
              "name": "RHSA-2026:30050",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2026:30050"
            },
            {
              "name": "RHSA-2026:30083",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2026:30083"
            },
            {
              "name": "RHSA-2026:30084",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2026:30084"
            },
            {
              "tags": [
                "vdb-entry",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/security/cve/CVE-2026-9705"
            },
            {
              "name": "RHBZ#2481878",
              "tags": [
                "issue-tracking",
                "x_refsource_REDHAT"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481878"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-05-27T12:42:28.395Z",
              "value": "Reported to Red Hat."
            },
            {
              "lang": "en",
              "time": "2026-06-25T15:59:03.780Z",
              "value": "Made public."
            }
          ],
          "title": "Keycloak: keycloak: attacker can re-enable and take over disabled clients via registration access token",
          "workarounds": [
            {
              "lang": "en",
              "value": "To mitigate this issue, restrict network access to the Keycloak Dynamic Client Registration endpoint. Configure network firewalls to allow connections only from trusted hosts or networks that legitimately require access to this functionality. This limits the exposure of the vulnerable endpoint to unauthorized access attempts."
            }
          ],
          "x_generator": {
            "engine": "cvelib 1.8.0"
          },
          "x_redhatCweChain": "CWE-613: Insufficient Session Expiration"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2026-9705",
        "datePublished": "2026-06-25T16:17:46.330Z",
        "dateReserved": "2026-05-27T12:48:48.084Z",
        "dateUpdated": "2026-06-29T18:10:46.870Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-9099 (GCVE-0-2026-9099)

    Vulnerability from nvd – Published: 2026-06-25 16:16 – Updated: 2026-06-30 12:10
    VLAI
    Title
    Keycloak: group-admin escalation to realm-admin
    Summary
    A flaw was found in Keycloak. A missing authorization check in the GroupResource.addChild() endpoint within the Admin REST API allows an authenticated user with limited administrative privileges to reparent any existing group. When Fine-Grained Admin Permissions v2 (FGAPv2) is enabled, an attacker with management rights over a single low-privilege group can reparent a highly privileged group (such as one possessing the realm-admin role) under their managed group. Because group permissions follow a hierarchical structure, this action unauthorizedly grants the attacker management and password-reset capabilities over the members of the targeted privileged group. An attacker can exploit this to reset an administrator's password, compromise the account, and achieve a full realm takeover, leading to a complete compromise of confidentiality, integrity, and availability.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-639 - Authorization Bypass Through User-Controlled Key
    Assigner
    References
    Impacted products
    Vendor Product Version
    Red Hat Red Hat build of Keycloak 26.4 Unaffected: 26.4.13-1 , < * (rpm)
        cpe:/a:redhat:build_keycloak:26.4::el9
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 26.4 Unaffected: 26.4-19 , < * (rpm)
        cpe:/a:redhat:build_keycloak:26.4::el9
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 26.4.13     cpe:/a:redhat:build_keycloak:26.4::el9
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 26.6 Unaffected: 26.6.4-2 , < * (rpm)
        cpe:/a:redhat:build_keycloak:26.6::el9
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 26.6 Unaffected: 26.6-8 , < * (rpm)
        cpe:/a:redhat:build_keycloak:26.6::el9
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 26.6.4     cpe:/a:redhat:build_keycloak:26.6::el9
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 26.4     cpe:/a:redhat:build_keycloak:26.4::el9
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 26.6     cpe:/a:redhat:build_keycloak:26.6::el9
    Create a notification for this product.
    Date Public
    2026-06-25 15:58
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-9099",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-25T20:25:31.782558Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-25T20:26:06.600Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:/a:redhat:build_keycloak:26.4::el9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat build of Keycloak 26.4",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:build_keycloak:26.6::el9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat build of Keycloak 26.6",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:build_keycloak:26.4::el9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat build of Keycloak 26.4.13",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:build_keycloak:26.6::el9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat build of Keycloak 26.6.4",
                "vendor": "Red Hat"
              }
            ],
            "datePublic": "2026-06-25T15:58:51.884Z",
            "descriptions": [
              {
                "lang": "en",
                "value": "A flaw was found in Keycloak. A missing authorization check in the GroupResource.addChild() endpoint within the Admin REST API allows an authenticated user with limited administrative privileges to reparent any existing group. When Fine-Grained Admin Permissions v2 (FGAPv2) is enabled, an attacker with management rights over a single low-privilege group can reparent a highly privileged group (such as one possessing the realm-admin role) under their managed group.\n\nBecause group permissions follow a hierarchical structure, this action unauthorizedly grants the attacker management and password-reset capabilities over the members of the targeted privileged group. An attacker can exploit this to reset an administrator\u0027s password, compromise the account, and achieve a full realm takeover, leading to a complete compromise of confidentiality, integrity, and availability."
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "namespace": "https://access.redhat.com/security/updates/classification/",
                    "value": "Important"
                  },
                  "type": "Red Hat severity rating"
                }
              },
              {
                "cvssV3_1": {
                  "attackComplexity": "HIGH",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 7.7,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "HIGH",
                  "scope": "CHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:N",
                  "version": "3.1"
                },
                "format": "CVSS"
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-639",
                    "description": "Authorization Bypass Through User-Controlled Key",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-30T12:10:50.907Z",
              "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
              "shortName": "redhat-SADP"
            },
            "references": [
              {
                "tags": [
                  "vdb-entry",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/security/cve/CVE-2026-9099"
              },
              {
                "name": "RHBZ#2480182",
                "tags": [
                  "issue-tracking",
                  "x_refsource_REDHAT"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2480182"
              },
              {
                "tags": [
                  "x_sadp-csaf-vex"
                ],
                "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-9099.json"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:30050"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:30084"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:30049"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:30083"
              }
            ],
            "solutions": [
              {
                "lang": "en",
                "value": "RHSA-2026:30050: Red Hat build of Keycloak 26.4"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:30084: Red Hat build of Keycloak 26.6"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:30049: Red Hat build of Keycloak 26.4.13"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:30083: Red Hat build of Keycloak 26.6.4"
              }
            ],
            "timeline": [
              {
                "lang": "en",
                "time": "2026-05-20T15:05:54.381Z",
                "value": "Reported to Red Hat."
              },
              {
                "lang": "en",
                "time": "2026-06-25T15:58:51.884Z",
                "value": "Made public."
              }
            ],
            "title": "keycloak: Group-Admin Escalation to Realm-Admin",
            "workarounds": [
              {
                "lang": "en",
                "value": "To mitigate this issue, restrict network access to the Keycloak Admin REST API to only trusted networks or localhost. This limits the attack surface by preventing unauthorized access to the API endpoints required for exploitation. Consult your network security documentation for specific firewall or network access control configurations. This may impact remote administration capabilities."
              }
            ],
            "x_adpType": "supplier",
            "x_generator": {
              "engine": "sadp-cli 1.0.0"
            }
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.4::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-operator-bundle",
              "product": "Red Hat build of Keycloak 26.4",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "26.4.13-1",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.4::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-rhel9",
              "product": "Red Hat build of Keycloak 26.4",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "26.4-19",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.4::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-rhel9-operator",
              "product": "Red Hat build of Keycloak 26.4",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "26.4-19",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.4::el9"
              ],
              "defaultStatus": "unaffected",
              "packageName": "rhbk/keycloak-rhel9",
              "product": "Red Hat build of Keycloak 26.4.13",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.6::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-operator-bundle",
              "product": "Red Hat build of Keycloak 26.6",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "26.6.4-2",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.6::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-rhel9",
              "product": "Red Hat build of Keycloak 26.6",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "26.6-8",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.6::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-rhel9-operator",
              "product": "Red Hat build of Keycloak 26.6",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "26.6-8",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.6::el9"
              ],
              "defaultStatus": "unaffected",
              "packageName": "rhbk/keycloak-rhel9",
              "product": "Red Hat build of Keycloak 26.6.4",
              "vendor": "Red Hat"
            }
          ],
          "datePublic": "2026-06-25T15:58:51.884Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A flaw was found in Keycloak. A missing authorization check in the GroupResource.addChild() endpoint within the Admin REST API allows an authenticated user with limited administrative privileges to reparent any existing group. When Fine-Grained Admin Permissions v2 (FGAPv2) is enabled, an attacker with management rights over a single low-privilege group can reparent a highly privileged group (such as one possessing the realm-admin role) under their managed group.\n\nBecause group permissions follow a hierarchical structure, this action unauthorizedly grants the attacker management and password-reset capabilities over the members of the targeted privileged group. An attacker can exploit this to reset an administrator\u0027s password, compromise the account, and achieve a full realm takeover, leading to a complete compromise of confidentiality, integrity, and availability."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "namespace": "https://access.redhat.com/security/updates/classification/",
                  "value": "Important"
                },
                "type": "Red Hat severity rating"
              }
            },
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.7,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:N",
                "version": "3.1"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-639",
                  "description": "Authorization Bypass Through User-Controlled Key",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-26T06:26:57.094Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "name": "RHSA-2026:30049",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2026:30049"
            },
            {
              "name": "RHSA-2026:30050",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2026:30050"
            },
            {
              "name": "RHSA-2026:30083",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2026:30083"
            },
            {
              "name": "RHSA-2026:30084",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2026:30084"
            },
            {
              "tags": [
                "vdb-entry",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/security/cve/CVE-2026-9099"
            },
            {
              "name": "RHBZ#2480182",
              "tags": [
                "issue-tracking",
                "x_refsource_REDHAT"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2480182"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-05-20T15:05:54.381Z",
              "value": "Reported to Red Hat."
            },
            {
              "lang": "en",
              "time": "2026-06-25T15:58:51.884Z",
              "value": "Made public."
            }
          ],
          "title": "Keycloak: group-admin escalation to realm-admin",
          "workarounds": [
            {
              "lang": "en",
              "value": "To mitigate this issue, restrict network access to the Keycloak Admin REST API to only trusted networks or localhost. This limits the attack surface by preventing unauthorized access to the API endpoints required for exploitation. Consult your network security documentation for specific firewall or network access control configurations. This may impact remote administration capabilities."
            }
          ],
          "x_generator": {
            "engine": "cvelib 1.8.0"
          },
          "x_redhatCweChain": "CWE-639: Authorization Bypass Through User-Controlled Key"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2026-9099",
        "datePublished": "2026-06-25T16:16:43.604Z",
        "dateReserved": "2026-05-20T15:12:25.740Z",
        "dateUpdated": "2026-06-30T12:10:50.907Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-9086 (GCVE-0-2026-9086)

    Vulnerability from nvd – Published: 2026-06-25 16:16 – Updated: 2026-06-30 12:10
    VLAI
    Title
    Keycloak: keycloak: cross-site scripting (xss) via case-insensitive uri validation bypass
    Summary
    A flaw was found in Keycloak. A remote attacker with administrative privileges, specifically those with `manage-client` permission or access to client registration endpoints, could bypass client Uniform Resource Identifier (URI) validation. This is achieved by registering a malicious client with a specially crafted redirect URI using a case-insensitive `javascript:` or `data:` scheme. This Cross-Site Scripting (XSS) vulnerability allows for arbitrary code execution in the Keycloak origin when a victim clicks the crafted link, such as in the logout flow or the Admin Console.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    References
    Impacted products
    Vendor Product Version
    Red Hat Red Hat build of Keycloak 26.4 Unaffected: 26.4.13-1 , < * (rpm)
        cpe:/a:redhat:build_keycloak:26.4::el9
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 26.4 Unaffected: 26.4-19 , < * (rpm)
        cpe:/a:redhat:build_keycloak:26.4::el9
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 26.4.13     cpe:/a:redhat:build_keycloak:26.4::el9
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 26.6 Unaffected: 26.6.4-2 , < * (rpm)
        cpe:/a:redhat:build_keycloak:26.6::el9
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 26.6 Unaffected: 26.6-8 , < * (rpm)
        cpe:/a:redhat:build_keycloak:26.6::el9
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 26.6.4     cpe:/a:redhat:build_keycloak:26.6::el9
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 26.4     cpe:/a:redhat:build_keycloak:26.4::el9
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 26.6     cpe:/a:redhat:build_keycloak:26.6::el9
    Create a notification for this product.
    Date Public
    2026-06-25 15:58
    Credits
    Red Hat would like to thank saku0512 for reporting this issue.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-9086",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-25T17:59:48.293762Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-25T17:59:57.632Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:/a:redhat:build_keycloak:26.4::el9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat build of Keycloak 26.4",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:build_keycloak:26.6::el9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat build of Keycloak 26.6",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:build_keycloak:26.4::el9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat build of Keycloak 26.4.13",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:build_keycloak:26.6::el9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat build of Keycloak 26.6.4",
                "vendor": "Red Hat"
              }
            ],
            "datePublic": "2026-06-25T15:58:33.359Z",
            "descriptions": [
              {
                "lang": "en",
                "value": "A flaw was found in Keycloak. A remote attacker with administrative privileges, specifically those with `manage-client` permission or access to client registration endpoints, could bypass client Uniform Resource Identifier (URI) validation. This is achieved by registering a malicious client with a specially crafted redirect URI using a case-insensitive `javascript:` or `data:` scheme. This Cross-Site Scripting (XSS) vulnerability allows for arbitrary code execution in the Keycloak origin when a victim clicks the crafted link, such as in the logout flow or the Admin Console."
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "namespace": "https://access.redhat.com/security/updates/classification/",
                    "value": "Important"
                  },
                  "type": "Red Hat severity rating"
                }
              },
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 7.3,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "LOW",
                  "scope": "UNCHANGED",
                  "userInteraction": "REQUIRED",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
                  "version": "3.1"
                },
                "format": "CVSS"
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-79",
                    "description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-30T12:10:51.779Z",
              "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
              "shortName": "redhat-SADP"
            },
            "references": [
              {
                "tags": [
                  "vdb-entry",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/security/cve/CVE-2026-9086"
              },
              {
                "name": "RHBZ#2480170",
                "tags": [
                  "issue-tracking",
                  "x_refsource_REDHAT"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2480170"
              },
              {
                "tags": [
                  "x_sadp-csaf-vex"
                ],
                "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-9086.json"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:30050"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:30084"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:30049"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:30083"
              }
            ],
            "solutions": [
              {
                "lang": "en",
                "value": "RHSA-2026:30050: Red Hat build of Keycloak 26.4"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:30084: Red Hat build of Keycloak 26.6"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:30049: Red Hat build of Keycloak 26.4.13"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:30083: Red Hat build of Keycloak 26.6.4"
              }
            ],
            "timeline": [
              {
                "lang": "en",
                "time": "2026-05-20T14:43:55.195Z",
                "value": "Reported to Red Hat."
              },
              {
                "lang": "en",
                "time": "2026-06-25T15:58:33.359Z",
                "value": "Made public."
              }
            ],
            "title": "keycloak: Keycloak: Cross-site scripting (XSS) via case-insensitive URI validation bypass",
            "workarounds": [
              {
                "lang": "en",
                "value": "To mitigate this vulnerability, restrict the ability to register new clients and manage existing client configurations. If Dynamic Client Registration is not required, disable it in Keycloak\u0027s Realm Settings under Client Registration Policies. If Dynamic Client Registration is necessary, ensure that policies are strictly configured to prevent anonymous client registration and require initial access tokens for all client registrations. Additionally, limit the `manage-client` role to only trusted administrators. Changes to Keycloak configuration may require a service restart or redeployment to take effect."
              }
            ],
            "x_adpType": "supplier",
            "x_generator": {
              "engine": "sadp-cli 1.0.0"
            }
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.4::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-operator-bundle",
              "product": "Red Hat build of Keycloak 26.4",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "26.4.13-1",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.4::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-rhel9",
              "product": "Red Hat build of Keycloak 26.4",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "26.4-19",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.4::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-rhel9-operator",
              "product": "Red Hat build of Keycloak 26.4",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "26.4-19",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.4::el9"
              ],
              "defaultStatus": "unaffected",
              "packageName": "rhbk/keycloak-rhel9",
              "product": "Red Hat build of Keycloak 26.4.13",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.6::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-operator-bundle",
              "product": "Red Hat build of Keycloak 26.6",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "26.6.4-2",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.6::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-rhel9",
              "product": "Red Hat build of Keycloak 26.6",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "26.6-8",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.6::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-rhel9-operator",
              "product": "Red Hat build of Keycloak 26.6",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "26.6-8",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.6::el9"
              ],
              "defaultStatus": "unaffected",
              "packageName": "rhbk/keycloak-rhel9",
              "product": "Red Hat build of Keycloak 26.6.4",
              "vendor": "Red Hat"
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Red Hat would like to thank saku0512 for reporting this issue."
            }
          ],
          "datePublic": "2026-06-25T15:58:33.359Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A flaw was found in Keycloak. A remote attacker with administrative privileges, specifically those with `manage-client` permission or access to client registration endpoints, could bypass client Uniform Resource Identifier (URI) validation. This is achieved by registering a malicious client with a specially crafted redirect URI using a case-insensitive `javascript:` or `data:` scheme. This Cross-Site Scripting (XSS) vulnerability allows for arbitrary code execution in the Keycloak origin when a victim clicks the crafted link, such as in the logout flow or the Admin Console."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "namespace": "https://access.redhat.com/security/updates/classification/",
                  "value": "Important"
                },
                "type": "Red Hat severity rating"
              }
            },
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.3,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
                "version": "3.1"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-26T06:26:53.231Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "name": "RHSA-2026:30049",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2026:30049"
            },
            {
              "name": "RHSA-2026:30050",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2026:30050"
            },
            {
              "name": "RHSA-2026:30083",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2026:30083"
            },
            {
              "name": "RHSA-2026:30084",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2026:30084"
            },
            {
              "tags": [
                "vdb-entry",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/security/cve/CVE-2026-9086"
            },
            {
              "name": "RHBZ#2480170",
              "tags": [
                "issue-tracking",
                "x_refsource_REDHAT"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2480170"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-05-20T14:43:55.195Z",
              "value": "Reported to Red Hat."
            },
            {
              "lang": "en",
              "time": "2026-06-25T15:58:33.359Z",
              "value": "Made public."
            }
          ],
          "title": "Keycloak: keycloak: cross-site scripting (xss) via case-insensitive uri validation bypass",
          "workarounds": [
            {
              "lang": "en",
              "value": "To mitigate this vulnerability, restrict the ability to register new clients and manage existing client configurations. If Dynamic Client Registration is not required, disable it in Keycloak\u0027s Realm Settings under Client Registration Policies. If Dynamic Client Registration is necessary, ensure that policies are strictly configured to prevent anonymous client registration and require initial access tokens for all client registrations. Additionally, limit the `manage-client` role to only trusted administrators. Changes to Keycloak configuration may require a service restart or redeployment to take effect."
            }
          ],
          "x_generator": {
            "engine": "cvelib 1.8.0"
          },
          "x_redhatCweChain": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2026-9086",
        "datePublished": "2026-06-25T16:16:46.017Z",
        "dateReserved": "2026-05-20T14:44:12.702Z",
        "dateUpdated": "2026-06-30T12:10:51.779Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-9083 (GCVE-0-2026-9083)

    Vulnerability from nvd – Published: 2026-06-25 16:17 – Updated: 2026-06-26 06:46
    VLAI
    Title
    Keycloak: keycloak: information disclosure through arbitrary filesystem path probing
    Summary
    A flaw was found in Keycloak. A realm administrator with the "manage-realm" role can exploit this vulnerability by submitting an arbitrary filesystem path as a keystore parameter when creating a key provider component. This allows the administrator to probe arbitrary filesystem paths, determining which files exist and are readable by the Keycloak process. This information disclosure could be used to identify high-value targets for follow-on attacks.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
    Assigner
    References
    URL Tags
    https://access.redhat.com/errata/RHSA-2026:30049 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:30050 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:30083 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:30084 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/security/cve/CVE-2026-9083 vdb-entryx_refsource_REDHAT
    https://bugzilla.redhat.com/show_bug.cgi?id=2480168 issue-trackingx_refsource_REDHAT
    Impacted products
    Vendor Product Version
    Red Hat Red Hat build of Keycloak 26.4 Unaffected: 26.4.13-1 , < * (rpm)
        cpe:/a:redhat:build_keycloak:26.4::el9
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 26.4 Unaffected: 26.4-19 , < * (rpm)
        cpe:/a:redhat:build_keycloak:26.4::el9
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 26.4.13     cpe:/a:redhat:build_keycloak:26.4::el9
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 26.6 Unaffected: 26.6.4-2 , < * (rpm)
        cpe:/a:redhat:build_keycloak:26.6::el9
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 26.6 Unaffected: 26.6-8 , < * (rpm)
        cpe:/a:redhat:build_keycloak:26.6::el9
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 26.6.4     cpe:/a:redhat:build_keycloak:26.6::el9
    Create a notification for this product.
    Date Public
    2026-06-25 15:58
    Credits
    Red Hat would like to thank Swapnil Paliwal & Security Team (AxiomCode) for reporting this issue.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-9083",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-25T17:53:33.860276Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-25T17:53:44.159Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.4::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-operator-bundle",
              "product": "Red Hat build of Keycloak 26.4",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "26.4.13-1",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.4::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-rhel9",
              "product": "Red Hat build of Keycloak 26.4",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "26.4-19",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.4::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-rhel9-operator",
              "product": "Red Hat build of Keycloak 26.4",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "26.4-19",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.4::el9"
              ],
              "defaultStatus": "unaffected",
              "packageName": "rhbk/keycloak-rhel9",
              "product": "Red Hat build of Keycloak 26.4.13",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.6::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-operator-bundle",
              "product": "Red Hat build of Keycloak 26.6",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "26.6.4-2",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.6::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-rhel9",
              "product": "Red Hat build of Keycloak 26.6",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "26.6-8",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.6::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-rhel9-operator",
              "product": "Red Hat build of Keycloak 26.6",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "26.6-8",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.6::el9"
              ],
              "defaultStatus": "unaffected",
              "packageName": "rhbk/keycloak-rhel9",
              "product": "Red Hat build of Keycloak 26.6.4",
              "vendor": "Red Hat"
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Red Hat would like to thank Swapnil Paliwal \u0026 Security Team (AxiomCode) for reporting this issue."
            }
          ],
          "datePublic": "2026-06-25T15:58:16.784Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A flaw was found in Keycloak. A realm administrator with the \"manage-realm\" role can exploit this vulnerability by submitting an arbitrary filesystem path as a keystore parameter when creating a key provider component. This allows the administrator to probe arbitrary filesystem paths, determining which files exist and are readable by the Keycloak process. This information disclosure could be used to identify high-value targets for follow-on attacks."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "namespace": "https://access.redhat.com/security/updates/classification/",
                  "value": "Moderate"
                },
                "type": "Red Hat severity rating"
              }
            },
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.9,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-26T06:46:21.516Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "name": "RHSA-2026:30049",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2026:30049"
            },
            {
              "name": "RHSA-2026:30050",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2026:30050"
            },
            {
              "name": "RHSA-2026:30083",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2026:30083"
            },
            {
              "name": "RHSA-2026:30084",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2026:30084"
            },
            {
              "tags": [
                "vdb-entry",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/security/cve/CVE-2026-9083"
            },
            {
              "name": "RHBZ#2480168",
              "tags": [
                "issue-tracking",
                "x_refsource_REDHAT"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2480168"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-05-20T14:11:24.606Z",
              "value": "Reported to Red Hat."
            },
            {
              "lang": "en",
              "time": "2026-06-25T15:58:16.784Z",
              "value": "Made public."
            }
          ],
          "title": "Keycloak: keycloak: information disclosure through arbitrary filesystem path probing",
          "workarounds": [
            {
              "lang": "en",
              "value": "Ensure that only highly trusted administrators are granted the \"manage-realm\" role within Keycloak. This role provides extensive administrative privileges, including the ability to exploit this vulnerability for filesystem probing. Regularly review and audit users assigned to this role to minimize the attack surface."
            }
          ],
          "x_generator": {
            "engine": "cvelib 1.8.0"
          },
          "x_redhatCweChain": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2026-9083",
        "datePublished": "2026-06-25T16:17:49.969Z",
        "dateReserved": "2026-05-20T14:11:59.940Z",
        "dateUpdated": "2026-06-26T06:46:21.516Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-11986 (GCVE-0-2026-11986)

    Vulnerability from nvd – Published: 2026-06-11 16:47 – Updated: 2026-06-11 18:50
    VLAI
    Title
    Keycloak-rest-admin-ui-ext: authorization bypass vulnerability in the admin-ui-ext bulk role-mapping-delete endpoints of keycloak
    Summary
    A flaw was found in the admin-ui-ext component of Keycloak, which provides extended administrative user interface capabilities. The issue occurs because certain bulk role-removal endpoints fail to perform granular permission checks when deleting role mappings. This allows a delegated administrator with limited permissions to remove highly privileged roles from other users or groups, potentially disrupting administrative access control.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-425 - Direct Request ('Forced Browsing')
    Assigner
    References
    URL Tags
    https://access.redhat.com/security/cve/CVE-2026-11986 vdb-entryx_refsource_REDHAT
    https://bugzilla.redhat.com/show_bug.cgi?id=2487906 issue-trackingx_refsource_REDHAT
    Impacted products
    Date Public
    2026-06-11 14:17
    Credits
    Red Hat would like to thank Wesley "Alardiians" Colquitt (Byteshyft Studios) for reporting this issue.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-11986",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-11T18:49:43.250186Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-11T18:50:30.698Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:"
              ],
              "defaultStatus": "affected",
              "packageName": "keycloak-rest-admin-ui-ext",
              "product": "Red Hat Build of Keycloak",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-rhel9",
              "product": "Red Hat Build of Keycloak",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk-openshift-rhel9/rhbk-openshift-rhel9",
              "product": "Red Hat Build of Keycloak",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
              "cpes": [
                "cpe:/a:redhat:jbosseapxp"
              ],
              "defaultStatus": "unaffected",
              "packageName": "keycloak-rest-admin-ui-ext",
              "product": "Red Hat JBoss Enterprise Application Platform Expansion Pack",
              "vendor": "Red Hat"
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Red Hat would like to thank Wesley \"Alardiians\" Colquitt (Byteshyft Studios) for reporting this issue."
            }
          ],
          "datePublic": "2026-06-11T14:17:32.078Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A flaw was found in the admin-ui-ext component of Keycloak, which provides extended administrative user interface capabilities. The issue occurs because certain bulk role-removal endpoints fail to perform granular permission checks when deleting role mappings. This allows a delegated administrator with limited permissions to remove highly privileged roles from other users or groups, potentially disrupting administrative access control."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "namespace": "https://access.redhat.com/security/updates/classification/",
                  "value": "Moderate"
                },
                "type": "Red Hat severity rating"
              }
            },
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.9,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N",
                "version": "3.1"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-425",
                  "description": "Direct Request (\u0027Forced Browsing\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-11T16:47:11.862Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "tags": [
                "vdb-entry",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/security/cve/CVE-2026-11986"
            },
            {
              "name": "RHBZ#2487906",
              "tags": [
                "issue-tracking",
                "x_refsource_REDHAT"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2487906"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-06-08T18:22:02.000Z",
              "value": "Reported to Red Hat."
            },
            {
              "lang": "en",
              "time": "2026-06-11T14:17:32.078Z",
              "value": "Made public."
            }
          ],
          "title": "Keycloak-rest-admin-ui-ext: authorization bypass vulnerability in the admin-ui-ext bulk role-mapping-delete endpoints of keycloak",
          "workarounds": [
            {
              "lang": "en",
              "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."
            }
          ],
          "x_generator": {
            "engine": "cvelib 1.8.0"
          },
          "x_redhatCweChain": "CWE-425: Direct Request (\u0027Forced Browsing\u0027)"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2026-11986",
        "datePublished": "2026-06-11T16:47:11.862Z",
        "dateReserved": "2026-06-11T14:18:10.409Z",
        "dateUpdated": "2026-06-11T18:50:30.698Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-11577 (GCVE-0-2026-11577)

    Vulnerability from nvd – Published: 2026-06-08 11:44 – Updated: 2026-06-30 12:06
    VLAI
    Title
    Keycloak: keycloak: privilege escalation via partialimport fgap permission bypass
    Summary
    A flaw was found in Keycloak. A limited administrator can exploit an improper access control vulnerability in the POST /admin/realms/{realm}/partialImport endpoint. This allows them to bypass Fine-Grained Admin Permissions (FGAP) and escalate their privileges to a full realm administrator by importing users with realm-admin role mappings.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-863 - Incorrect Authorization
    Assigner
    Impacted products
    Date Public
    2026-06-08 00:00
    Credits
    Red Hat would like to thank Andrii Ilin (10Guards) for reporting this issue.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-11577",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-09T18:38:26.079653Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-09T18:38:42.517Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/keycloak/keycloak/issues/9387"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:/a:redhat:build_keycloak:"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Build of Keycloak",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:red_hat_single_sign_on:7"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Single Sign-On 7",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:jboss_data_grid:8"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Data Grid 8",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:jboss_enterprise_application_platform:8"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat JBoss Enterprise Application Platform 8",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:jbosseapxp"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat JBoss Enterprise Application Platform Expansion Pack",
                "vendor": "Red Hat"
              }
            ],
            "datePublic": "2026-06-08T00:00:00.000Z",
            "descriptions": [
              {
                "lang": "en",
                "value": "A flaw was found in Keycloak. A limited administrator can exploit an improper access control vulnerability in the POST /admin/realms/{realm}/partialImport endpoint. This allows them to bypass Fine-Grained Admin Permissions (FGAP) and escalate their privileges to a full realm administrator by importing users with realm-admin role mappings."
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "namespace": "https://access.redhat.com/security/updates/classification/",
                    "value": "Important"
                  },
                  "type": "Red Hat severity rating"
                }
              },
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 7.2,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "HIGH",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
                  "version": "3.1"
                },
                "format": "CVSS"
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-863",
                    "description": "Incorrect Authorization",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-30T12:06:54.992Z",
              "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
              "shortName": "redhat-SADP"
            },
            "references": [
              {
                "tags": [
                  "vdb-entry",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/security/cve/CVE-2026-11577"
              },
              {
                "name": "RHBZ#2459993",
                "tags": [
                  "issue-tracking",
                  "x_refsource_REDHAT"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2459993"
              },
              {
                "tags": [
                  "x_sadp-csaf-vex"
                ],
                "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-11577.json"
              }
            ],
            "timeline": [
              {
                "lang": "en",
                "time": "2026-04-18T00:00:00.000Z",
                "value": "Reported to Red Hat."
              },
              {
                "lang": "en",
                "time": "2026-06-08T00:00:00.000Z",
                "value": "Made public."
              }
            ],
            "title": "keycloak: keycloak: privilege escalation via partialImport FGAP permission bypass",
            "workarounds": [
              {
                "lang": "en",
                "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."
              }
            ],
            "x_adpType": "supplier",
            "x_generator": {
              "engine": "sadp-cli 1.0.0"
            }
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:"
              ],
              "defaultStatus": "affected",
              "packageName": "keycloak-services",
              "product": "Red Hat Build of Keycloak",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:jboss_data_grid:8"
              ],
              "defaultStatus": "unaffected",
              "packageName": "keycloak-services",
              "product": "Red Hat Data Grid 8",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
              "cpes": [
                "cpe:/a:redhat:jboss_enterprise_application_platform:8"
              ],
              "defaultStatus": "unaffected",
              "packageName": "keycloak-services",
              "product": "Red Hat JBoss Enterprise Application Platform 8",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
              "cpes": [
                "cpe:/a:redhat:jbosseapxp"
              ],
              "defaultStatus": "unaffected",
              "packageName": "keycloak-services",
              "product": "Red Hat JBoss Enterprise Application Platform Expansion Pack",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:red_hat_single_sign_on:7"
              ],
              "defaultStatus": "unknown",
              "packageName": "keycloak-services",
              "product": "Red Hat Single Sign-On 7",
              "vendor": "Red Hat"
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Red Hat would like to thank Andrii Ilin (10Guards) for reporting this issue."
            }
          ],
          "datePublic": "2026-06-08T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A flaw was found in Keycloak. A limited administrator can exploit an improper access control vulnerability in the POST /admin/realms/{realm}/partialImport endpoint. This allows them to bypass Fine-Grained Admin Permissions (FGAP) and escalate their privileges to a full realm administrator by importing users with realm-admin role mappings."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "namespace": "https://access.redhat.com/security/updates/classification/",
                  "value": "Important"
                },
                "type": "Red Hat severity rating"
              }
            },
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.2,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-863",
                  "description": "Incorrect Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-16T07:32:45.088Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "tags": [
                "vdb-entry",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/security/cve/CVE-2026-11577"
            },
            {
              "name": "RHBZ#2459993",
              "tags": [
                "issue-tracking",
                "x_refsource_REDHAT"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2459993"
            },
            {
              "url": "https://github.com/keycloak/keycloak/issues/9387"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-04-18T00:00:00.000Z",
              "value": "Reported to Red Hat."
            },
            {
              "lang": "en",
              "time": "2026-06-08T00:00:00.000Z",
              "value": "Made public."
            }
          ],
          "title": "Keycloak: keycloak: privilege escalation via partialimport fgap permission bypass",
          "workarounds": [
            {
              "lang": "en",
              "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."
            }
          ],
          "x_generator": {
            "engine": "cvelib 1.8.0"
          },
          "x_redhatCweChain": "CWE-863: Incorrect Authorization"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2026-11577",
        "datePublished": "2026-06-08T11:44:41.892Z",
        "dateReserved": "2026-06-08T11:34:22.437Z",
        "dateUpdated": "2026-06-30T12:06:54.992Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-9088 (GCVE-0-2026-9088)

    Vulnerability from nvd – Published: 2026-06-05 07:52 – Updated: 2026-06-26 07:01
    VLAI
    Title
    Keycloak: keycloak: information disclosure due to user profile permission bypass
    Summary
    A flaw was found in org.keycloak.services. An administrator with delegated access to read group memberships and users can bypass user profile permissions by accessing the group members endpoint. This allows the administrator to view user attributes that are explicitly configured to be denied, leading to information disclosure.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-1220 - Insufficient Granularity of Access Control
    Assigner
    References
    URL Tags
    https://access.redhat.com/errata/RHSA-2026:25097 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:25098 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:30049 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:30050 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/security/cve/CVE-2026-9088 vdb-entryx_refsource_REDHAT
    https://bugzilla.redhat.com/show_bug.cgi?id=2480179 issue-trackingx_refsource_REDHAT
    Impacted products
    Vendor Product Version
    Red Hat Red Hat build of Keycloak 26.4 Unaffected: 26.4.13-1 , < * (rpm)
        cpe:/a:redhat:build_keycloak:26.4::el9
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 26.4 Unaffected: 26.4-19 , < * (rpm)
        cpe:/a:redhat:build_keycloak:26.4::el9
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 26.4.13     cpe:/a:redhat:build_keycloak:26.4::el9
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 26.6 Unaffected: 26.6.3-3 , < * (rpm)
        cpe:/a:redhat:build_keycloak:26.6::el9
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 26.6 Unaffected: 26.6-6 , < * (rpm)
        cpe:/a:redhat:build_keycloak:26.6::el9
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 26.6.3     cpe:/a:redhat:build_keycloak:26.6::el9
    Create a notification for this product.
    Date Public
    2026-06-05 07:45
    Credits
    Red Hat would like to thank Hadley So for reporting this issue.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-9088",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-05T13:10:30.927804Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-05T13:10:40.187Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.4::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-operator-bundle",
              "product": "Red Hat build of Keycloak 26.4",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "26.4.13-1",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.4::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-rhel9",
              "product": "Red Hat build of Keycloak 26.4",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "26.4-19",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.4::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-rhel9-operator",
              "product": "Red Hat build of Keycloak 26.4",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "26.4-19",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.4::el9"
              ],
              "defaultStatus": "unaffected",
              "packageName": "rhbk/keycloak-rhel9",
              "product": "Red Hat build of Keycloak 26.4.13",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.6::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-operator-bundle",
              "product": "Red Hat build of Keycloak 26.6",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "26.6.3-3",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.6::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-rhel9",
              "product": "Red Hat build of Keycloak 26.6",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "26.6-6",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.6::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-rhel9-operator",
              "product": "Red Hat build of Keycloak 26.6",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "26.6-6",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.6::el9"
              ],
              "defaultStatus": "unaffected",
              "packageName": "rhbk/keycloak-rhel9",
              "product": "Red Hat build of Keycloak 26.6.3",
              "vendor": "Red Hat"
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Red Hat would like to thank Hadley So for reporting this issue."
            }
          ],
          "datePublic": "2026-06-05T07:45:40.116Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A flaw was found in org.keycloak.services. An administrator with delegated access to read group memberships and users can bypass user profile permissions by accessing the group members endpoint. This allows the administrator to view user attributes that are explicitly configured to be denied, leading to information disclosure."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "namespace": "https://access.redhat.com/security/updates/classification/",
                  "value": "Low"
                },
                "type": "Red Hat severity rating"
              }
            },
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 2.7,
                "baseSeverity": "LOW",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-1220",
                  "description": "Insufficient Granularity of Access Control",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-26T07:01:31.888Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "name": "RHSA-2026:25097",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2026:25097"
            },
            {
              "name": "RHSA-2026:25098",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2026:25098"
            },
            {
              "name": "RHSA-2026:30049",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2026:30049"
            },
            {
              "name": "RHSA-2026:30050",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2026:30050"
            },
            {
              "tags": [
                "vdb-entry",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/security/cve/CVE-2026-9088"
            },
            {
              "name": "RHBZ#2480179",
              "tags": [
                "issue-tracking",
                "x_refsource_REDHAT"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2480179"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-05-20T15:01:25.568Z",
              "value": "Reported to Red Hat."
            },
            {
              "lang": "en",
              "time": "2026-06-05T07:45:40.116Z",
              "value": "Made public."
            }
          ],
          "title": "Keycloak: keycloak: information disclosure due to user profile permission bypass",
          "workarounds": [
            {
              "lang": "en",
              "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."
            }
          ],
          "x_generator": {
            "engine": "cvelib 1.8.0"
          },
          "x_redhatCweChain": "CWE-1220: Insufficient Granularity of Access Control"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2026-9088",
        "datePublished": "2026-06-05T07:52:52.858Z",
        "dateReserved": "2026-05-20T15:01:48.645Z",
        "dateUpdated": "2026-06-26T07:01:31.888Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-9803 (GCVE-0-2026-9803)

    Vulnerability from nvd – Published: 2026-05-28 04:47 – Updated: 2026-06-26 06:46
    VLAI
    Title
    Keycloak: keycloak: denial of service via malformed authorization header
    Summary
    A flaw was found in Keycloak's ClientRegistrationAuth component. A remote unauthenticated attacker can exploit this vulnerability by sending a specially crafted POST request with a malformed 'Authorization: Bearer' header to any client registration endpoint. This can lead to an ArrayIndexOutOfBoundsException, causing the server to return an HTTP 500 error and resulting in a Denial of Service (DoS) for the affected service.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    URL Tags
    https://access.redhat.com/errata/RHSA-2026:25097 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:25098 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:30049 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:30050 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/security/cve/CVE-2026-9803 vdb-entryx_refsource_REDHAT
    https://bugzilla.redhat.com/show_bug.cgi?id=2482465 issue-trackingx_refsource_REDHAT
    Impacted products
    Vendor Product Version
    Red Hat Red Hat build of Keycloak 26.4 Unaffected: 26.4.13-1 , < * (rpm)
        cpe:/a:redhat:build_keycloak:26.4::el9
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 26.4 Unaffected: 26.4-19 , < * (rpm)
        cpe:/a:redhat:build_keycloak:26.4::el9
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 26.4.13     cpe:/a:redhat:build_keycloak:26.4::el9
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 26.6 Unaffected: 26.6.3-3 , < * (rpm)
        cpe:/a:redhat:build_keycloak:26.6::el9
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 26.6 Unaffected: 26.6-6 , < * (rpm)
        cpe:/a:redhat:build_keycloak:26.6::el9
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 26.6.3     cpe:/a:redhat:build_keycloak:26.6::el9
    Create a notification for this product.
    Date Public
    2026-05-28 04:03
    Credits
    Red Hat would like to thank Mustafa Çetin for reporting this issue.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-9803",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-28T13:09:44.442993Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-28T13:10:07.051Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.4::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-operator-bundle",
              "product": "Red Hat build of Keycloak 26.4",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "26.4.13-1",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.4::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-rhel9",
              "product": "Red Hat build of Keycloak 26.4",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "26.4-19",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.4::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-rhel9-operator",
              "product": "Red Hat build of Keycloak 26.4",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "26.4-19",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.4::el9"
              ],
              "defaultStatus": "unaffected",
              "packageName": "rhbk/keycloak-rhel9",
              "product": "Red Hat build of Keycloak 26.4.13",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.6::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-operator-bundle",
              "product": "Red Hat build of Keycloak 26.6",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "26.6.3-3",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.6::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-rhel9",
              "product": "Red Hat build of Keycloak 26.6",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "26.6-6",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.6::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-rhel9-operator",
              "product": "Red Hat build of Keycloak 26.6",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "26.6-6",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.6::el9"
              ],
              "defaultStatus": "unaffected",
              "packageName": "rhbk/keycloak-rhel9",
              "product": "Red Hat build of Keycloak 26.6.3",
              "vendor": "Red Hat"
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Red Hat would like to thank Mustafa \u00c7etin for reporting this issue."
            }
          ],
          "datePublic": "2026-05-28T04:03:01.292Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A flaw was found in Keycloak\u0027s ClientRegistrationAuth component. A remote unauthenticated attacker can exploit this vulnerability by sending a specially crafted POST request with a malformed \u0027Authorization: Bearer\u0027 header to any client registration endpoint. This can lead to an ArrayIndexOutOfBoundsException, causing the server to return an HTTP 500 error and resulting in a Denial of Service (DoS) for the affected service."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "namespace": "https://access.redhat.com/security/updates/classification/",
                  "value": "Moderate"
                },
                "type": "Red Hat severity rating"
              }
            },
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
                "version": "3.1"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-125",
                  "description": "Out-of-bounds Read",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-26T06:46:45.324Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "name": "RHSA-2026:25097",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2026:25097"
            },
            {
              "name": "RHSA-2026:25098",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2026:25098"
            },
            {
              "name": "RHSA-2026:30049",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2026:30049"
            },
            {
              "name": "RHSA-2026:30050",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2026:30050"
            },
            {
              "tags": [
                "vdb-entry",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/security/cve/CVE-2026-9803"
            },
            {
              "name": "RHBZ#2482465",
              "tags": [
                "issue-tracking",
                "x_refsource_REDHAT"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2482465"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-05-28T04:02:15.892Z",
              "value": "Reported to Red Hat."
            },
            {
              "lang": "en",
              "time": "2026-05-28T04:03:01.292Z",
              "value": "Made public."
            }
          ],
          "title": "Keycloak: keycloak: denial of service via malformed authorization header",
          "workarounds": [
            {
              "lang": "en",
              "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."
            }
          ],
          "x_generator": {
            "engine": "cvelib 1.8.0"
          },
          "x_redhatCweChain": "CWE-125: Out-of-bounds Read"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2026-9803",
        "datePublished": "2026-05-28T04:47:10.485Z",
        "dateReserved": "2026-05-28T04:02:28.881Z",
        "dateUpdated": "2026-06-26T06:46:45.324Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-9802 (GCVE-0-2026-9802)

    Vulnerability from nvd – Published: 2026-05-28 04:47 – Updated: 2026-06-26 06:46
    VLAI
    Title
    Keycloak: keycloak: unauthorized account access via replayed refresh tokens after cluster restart
    Summary
    A flaw was found in Keycloak. When revokeRefreshToken=true is enabled and persistent session storage is in use, a server restart can reset internal timing mechanisms. This allows a remote attacker, who has previously captured a user's refresh token, to replay that token even after it has been revoked. Successful exploitation grants the attacker unauthorized access to the victim's account, potentially leading to information disclosure or privilege escalation.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-613 - Insufficient Session Expiration
    Assigner
    References
    URL Tags
    https://access.redhat.com/errata/RHSA-2026:25097 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:25098 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:30049 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:30050 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/security/cve/CVE-2026-9802 vdb-entryx_refsource_REDHAT
    https://bugzilla.redhat.com/show_bug.cgi?id=2482467 issue-trackingx_refsource_REDHAT
    Impacted products
    Vendor Product Version
    Red Hat Red Hat build of Keycloak 26.4 Unaffected: 26.4.13-1 , < * (rpm)
        cpe:/a:redhat:build_keycloak:26.4::el9
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 26.4 Unaffected: 26.4-19 , < * (rpm)
        cpe:/a:redhat:build_keycloak:26.4::el9
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 26.4.13     cpe:/a:redhat:build_keycloak:26.4::el9
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 26.6 Unaffected: 26.6.3-3 , < * (rpm)
        cpe:/a:redhat:build_keycloak:26.6::el9
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 26.6 Unaffected: 26.6-6 , < * (rpm)
        cpe:/a:redhat:build_keycloak:26.6::el9
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 26.6.3     cpe:/a:redhat:build_keycloak:26.6::el9
    Create a notification for this product.
    Date Public
    2026-05-28 04:10
    Credits
    Red Hat would like to thank Gyeongpyo Son for reporting this issue.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-9802",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-28T13:00:17.958549Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-28T13:00:32.592Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.4::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-operator-bundle",
              "product": "Red Hat build of Keycloak 26.4",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "26.4.13-1",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.4::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-rhel9",
              "product": "Red Hat build of Keycloak 26.4",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "26.4-19",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.4::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-rhel9-operator",
              "product": "Red Hat build of Keycloak 26.4",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "26.4-19",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.4::el9"
              ],
              "defaultStatus": "unaffected",
              "packageName": "rhbk/keycloak-rhel9",
              "product": "Red Hat build of Keycloak 26.4.13",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.6::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-operator-bundle",
              "product": "Red Hat build of Keycloak 26.6",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "26.6.3-3",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.6::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-rhel9",
              "product": "Red Hat build of Keycloak 26.6",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "26.6-6",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.6::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-rhel9-operator",
              "product": "Red Hat build of Keycloak 26.6",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "26.6-6",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.6::el9"
              ],
              "defaultStatus": "unaffected",
              "packageName": "rhbk/keycloak-rhel9",
              "product": "Red Hat build of Keycloak 26.6.3",
              "vendor": "Red Hat"
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Red Hat would like to thank Gyeongpyo Son for reporting this issue."
            }
          ],
          "datePublic": "2026-05-28T04:10:26.145Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A flaw was found in Keycloak. When revokeRefreshToken=true is enabled and persistent session storage is in use, a server restart can reset internal timing mechanisms. This allows a remote attacker, who has previously captured a user\u0027s refresh token, to replay that token even after it has been revoked. Successful exploitation grants the attacker unauthorized access to the victim\u0027s account, potentially leading to information disclosure or privilege escalation."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "namespace": "https://access.redhat.com/security/updates/classification/",
                  "value": "Moderate"
                },
                "type": "Red Hat severity rating"
              }
            },
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.8,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N",
                "version": "3.1"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-613",
                  "description": "Insufficient Session Expiration",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-26T06:46:43.373Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "name": "RHSA-2026:25097",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2026:25097"
            },
            {
              "name": "RHSA-2026:25098",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2026:25098"
            },
            {
              "name": "RHSA-2026:30049",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2026:30049"
            },
            {
              "name": "RHSA-2026:30050",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2026:30050"
            },
            {
              "tags": [
                "vdb-entry",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/security/cve/CVE-2026-9802"
            },
            {
              "name": "RHBZ#2482467",
              "tags": [
                "issue-tracking",
                "x_refsource_REDHAT"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2482467"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-05-28T04:01:03.837Z",
              "value": "Reported to Red Hat."
            },
            {
              "lang": "en",
              "time": "2026-05-28T04:10:26.145Z",
              "value": "Made public."
            }
          ],
          "title": "Keycloak: keycloak: unauthorized account access via replayed refresh tokens after cluster restart",
          "workarounds": [
            {
              "lang": "en",
              "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."
            }
          ],
          "x_generator": {
            "engine": "cvelib 1.8.0"
          },
          "x_redhatCweChain": "CWE-613: Insufficient Session Expiration"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2026-9802",
        "datePublished": "2026-05-28T04:47:10.497Z",
        "dateReserved": "2026-05-28T04:02:07.242Z",
        "dateUpdated": "2026-06-26T06:46:43.373Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-9801 (GCVE-0-2026-9801)

    Vulnerability from nvd – Published: 2026-05-28 04:42 – Updated: 2026-06-26 06:46
    VLAI
    Title
    Keycloak: keycloak: denial of service via malformed ldap password policy response
    Summary
    A flaw was found in Keycloak. A remote attacker with high privileges, such as a realm administrator configuring a malicious Lightweight Directory Access Protocol (LDAP) server or an attacker compromising an upstream LDAP server, could exploit this vulnerability. By sending a malformed LDAP password policy response during a password authentication request, the attacker can trigger an OutOfMemoryError. This causes the Keycloak Java Virtual Machine (JVM) to terminate, leading to a denial of service (DoS) for all realms on the affected node.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-1284 - Improper Validation of Specified Quantity in Input
    Assigner
    References
    URL Tags
    https://access.redhat.com/errata/RHSA-2026:25097 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:25098 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:30049 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:30050 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/security/cve/CVE-2026-9801 vdb-entryx_refsource_REDHAT
    https://bugzilla.redhat.com/show_bug.cgi?id=2482473 issue-trackingx_refsource_REDHAT
    Impacted products
    Vendor Product Version
    Red Hat Red Hat build of Keycloak 26.4 Unaffected: 26.4.13-1 , < * (rpm)
        cpe:/a:redhat:build_keycloak:26.4::el9
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 26.4 Unaffected: 26.4-19 , < * (rpm)
        cpe:/a:redhat:build_keycloak:26.4::el9
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 26.4.13     cpe:/a:redhat:build_keycloak:26.4::el9
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 26.6 Unaffected: 26.6.3-3 , < * (rpm)
        cpe:/a:redhat:build_keycloak:26.6::el9
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 26.6 Unaffected: 26.6-6 , < * (rpm)
        cpe:/a:redhat:build_keycloak:26.6::el9
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 26.6.3     cpe:/a:redhat:build_keycloak:26.6::el9
    Create a notification for this product.
    Date Public
    2026-05-28 04:18
    Credits
    Red Hat would like to thank Seongkuk Park for reporting this issue.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-9801",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-30T01:53:56.832854Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-30T01:54:07.920Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.4::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-operator-bundle",
              "product": "Red Hat build of Keycloak 26.4",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "26.4.13-1",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.4::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-rhel9",
              "product": "Red Hat build of Keycloak 26.4",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "26.4-19",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.4::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-rhel9-operator",
              "product": "Red Hat build of Keycloak 26.4",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "26.4-19",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.4::el9"
              ],
              "defaultStatus": "unaffected",
              "packageName": "rhbk/keycloak-rhel9",
              "product": "Red Hat build of Keycloak 26.4.13",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.6::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-operator-bundle",
              "product": "Red Hat build of Keycloak 26.6",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "26.6.3-3",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.6::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-rhel9",
              "product": "Red Hat build of Keycloak 26.6",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "26.6-6",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.6::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-rhel9-operator",
              "product": "Red Hat build of Keycloak 26.6",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "26.6-6",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.6::el9"
              ],
              "defaultStatus": "unaffected",
              "packageName": "rhbk/keycloak-rhel9",
              "product": "Red Hat build of Keycloak 26.6.3",
              "vendor": "Red Hat"
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Red Hat would like to thank Seongkuk Park for reporting this issue."
            }
          ],
          "datePublic": "2026-05-28T04:18:25.872Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A flaw was found in Keycloak. A remote attacker with high privileges, such as a realm administrator configuring a malicious Lightweight Directory Access Protocol (LDAP) server or an attacker compromising an upstream LDAP server, could exploit this vulnerability. By sending a malformed LDAP password policy response during a password authentication request, the attacker can trigger an OutOfMemoryError. This causes the Keycloak Java Virtual Machine (JVM) to terminate, leading to a denial of service (DoS) for all realms on the affected node."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "namespace": "https://access.redhat.com/security/updates/classification/",
                  "value": "Moderate"
                },
                "type": "Red Hat severity rating"
              }
            },
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 4.9,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-1284",
                  "description": "Improper Validation of Specified Quantity in Input",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-26T06:46:40.611Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "name": "RHSA-2026:25097",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2026:25097"
            },
            {
              "name": "RHSA-2026:25098",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2026:25098"
            },
            {
              "name": "RHSA-2026:30049",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2026:30049"
            },
            {
              "name": "RHSA-2026:30050",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2026:30050"
            },
            {
              "tags": [
                "vdb-entry",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/security/cve/CVE-2026-9801"
            },
            {
              "name": "RHBZ#2482473",
              "tags": [
                "issue-tracking",
                "x_refsource_REDHAT"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2482473"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-05-28T04:00:39.339Z",
              "value": "Reported to Red Hat."
            },
            {
              "lang": "en",
              "time": "2026-05-28T04:18:25.872Z",
              "value": "Made public."
            }
          ],
          "title": "Keycloak: keycloak: denial of service via malformed ldap password policy response",
          "workarounds": [
            {
              "lang": "en",
              "value": "To mitigate this vulnerability, ensure that Keycloak\u0027s LDAP user-storage providers are configured to connect only to trusted and secure LDAP servers. Avoid configuring LDAP federation with unverified or potentially malicious LDAP endpoints. Additionally, always use TLS for LDAP connections to prevent Man-in-the-Middle attacks. If an upstream LDAP server is compromised, it should be isolated and secured immediately."
            }
          ],
          "x_generator": {
            "engine": "cvelib 1.8.0"
          },
          "x_redhatCweChain": "CWE-1284: Improper Validation of Specified Quantity in Input"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2026-9801",
        "datePublished": "2026-05-28T04:42:10.331Z",
        "dateReserved": "2026-05-28T04:00:46.722Z",
        "dateUpdated": "2026-06-26T06:46:40.611Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-9798 (GCVE-0-2026-9798)

    Vulnerability from nvd – Published: 2026-05-28 04:37 – Updated: 2026-05-29 18:30
    VLAI
    Title
    Keycloak: keycloak: brute-force protection bypass in ciba flow
    Summary
    A flaw was found in Keycloak, an open-source identity and access management solution. When a user account is temporarily locked due to repeated failed login attempts, an attacker with valid client credentials can exploit the Client-Initiated Backchannel Authentication (CIBA) flow to bypass this brute-force protection. This allows continued authentication attempts and token issuance even when the account should be locked, potentially enabling further unauthorized access attempts.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-305 - Authentication Bypass by Primary Weakness
    Assigner
    References
    URL Tags
    https://access.redhat.com/security/cve/CVE-2026-9798 vdb-entryx_refsource_REDHAT
    https://bugzilla.redhat.com/show_bug.cgi?id=2482470 issue-trackingx_refsource_REDHAT
    Impacted products
    Vendor Product Version
    Red Hat Red Hat Build of Keycloak     cpe:/a:redhat:build_keycloak:
    Create a notification for this product.
    Date Public
    2026-05-28 03:53
    Credits
    Red Hat would like to thank Evan Hendra (Independent Security Researcher) for reporting this issue.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-9798",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-29T18:29:49.249825Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-29T18:30:05.748Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-rhel9",
              "product": "Red Hat Build of Keycloak",
              "vendor": "Red Hat"
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Red Hat would like to thank Evan Hendra (Independent Security Researcher) for reporting this issue."
            }
          ],
          "datePublic": "2026-05-28T03:53:01.734Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A flaw was found in Keycloak, an open-source identity and access management solution. When a user account is temporarily locked due to repeated failed login attempts, an attacker with valid client credentials can exploit the Client-Initiated Backchannel Authentication (CIBA) flow to bypass this brute-force protection. This allows continued authentication attempts and token issuance even when the account should be locked, potentially enabling further unauthorized access attempts."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "namespace": "https://access.redhat.com/security/updates/classification/",
                  "value": "Moderate"
                },
                "type": "Red Hat severity rating"
              }
            },
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-305",
                  "description": "Authentication Bypass by Primary Weakness",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-28T04:37:09.472Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "tags": [
                "vdb-entry",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/security/cve/CVE-2026-9798"
            },
            {
              "name": "RHBZ#2482470",
              "tags": [
                "issue-tracking",
                "x_refsource_REDHAT"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2482470"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-05-28T03:49:51.972Z",
              "value": "Reported to Red Hat."
            },
            {
              "lang": "en",
              "time": "2026-05-28T03:53:01.734Z",
              "value": "Made public."
            }
          ],
          "title": "Keycloak: keycloak: brute-force protection bypass in ciba flow",
          "workarounds": [
            {
              "lang": "en",
              "value": "To mitigate this issue, ensure that Client-Initiated Backchannel Authentication (CIBA) is not enabled in Keycloak realms unless explicitly required. If CIBA is enabled, consider disabling it to prevent the bypass of brute-force protection mechanisms. Consult Keycloak documentation for instructions on managing CIBA configuration."
            }
          ],
          "x_generator": {
            "engine": "cvelib 1.8.0"
          },
          "x_redhatCweChain": "CWE-305: Authentication Bypass by Primary Weakness"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2026-9798",
        "datePublished": "2026-05-28T04:37:09.472Z",
        "dateReserved": "2026-05-28T03:51:03.615Z",
        "dateUpdated": "2026-05-29T18:30:05.748Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-12388 (GCVE-0-2026-12388)

    Vulnerability from cvelistv5 – Published: 2026-06-30 12:00 – Updated: 2026-06-30 15:58
    VLAI
    Title
    Keycloak-broker: keycloak: privilege escalation to realm administrator via improper authorization in identity provider mapper
    Summary
    A flaw was found in the Identity Provider (IdP) mapper component of Keycloak, which is used to manage how user information from external services is mapped to Keycloak users. An administrator with limited permissions to manage identity providers can exploit this flaw by creating a "Hardcoded Role" mapper that assigns high-level administrative roles (like realm-admin) to themselves or others. This allows a restricted administrator to bypass security checks and gain full control over the entire realm.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-266 - Incorrect Privilege Assignment
    Assigner
    References
    URL Tags
    https://access.redhat.com/security/cve/CVE-2026-12388 vdb-entryx_refsource_REDHAT
    https://bugzilla.redhat.com/show_bug.cgi?id=2489140 issue-trackingx_refsource_REDHAT
    Impacted products
    Vendor Product Version
    Red Hat Red Hat Build of Keycloak     cpe:/a:redhat:build_keycloak:
    Create a notification for this product.
    Date Public
    2026-06-30 11:49
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-12388",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-30T14:18:51.123959Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-30T15:58:24.834Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-rhel9",
              "product": "Red Hat Build of Keycloak",
              "vendor": "Red Hat"
            }
          ],
          "datePublic": "2026-06-30T11:49:29.358Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A flaw was found in the Identity Provider (IdP) mapper component of Keycloak, which is used to manage how user information from external services is mapped to Keycloak users. An administrator with limited permissions to manage identity providers can exploit this flaw by creating a \"Hardcoded Role\" mapper that assigns high-level administrative roles (like realm-admin) to themselves or others. This allows a restricted administrator to bypass security checks and gain full control over the entire realm."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "namespace": "https://access.redhat.com/security/updates/classification/",
                  "value": "Moderate"
                },
                "type": "Red Hat severity rating"
              }
            },
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N",
                "version": "3.1"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-266",
                  "description": "Incorrect Privilege Assignment",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-30T12:00:28.675Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "tags": [
                "vdb-entry",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/security/cve/CVE-2026-12388"
            },
            {
              "name": "RHBZ#2489140",
              "tags": [
                "issue-tracking",
                "x_refsource_REDHAT"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2489140"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-06-10T14:45:28.000Z",
              "value": "Reported to Red Hat."
            },
            {
              "lang": "en",
              "time": "2026-06-30T11:49:29.358Z",
              "value": "Made public."
            }
          ],
          "title": "Keycloak-broker: keycloak: privilege escalation to realm administrator via improper authorization in identity provider mapper",
          "workarounds": [
            {
              "lang": "en",
              "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."
            }
          ],
          "x_generator": {
            "engine": "cvelib 1.8.0"
          },
          "x_redhatCweChain": "CWE-266: Incorrect Privilege Assignment"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2026-12388",
        "datePublished": "2026-06-30T12:00:28.675Z",
        "dateReserved": "2026-06-16T11:41:17.075Z",
        "dateUpdated": "2026-06-30T15:58:24.834Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-4629 (GCVE-0-2026-4629)

    Vulnerability from cvelistv5 – Published: 2026-06-30 12:00 – Updated: 2026-07-01 14:26
    VLAI
    Title
    Keycloak: keycloak: privilege escalation through hardcoded role mapper injection
    Summary
    A flaw was found in Keycloak. A highly privileged user with `manage-clients` permission can exploit this vulnerability by injecting a hardcoded role mapper into any client. This action allows the user to bypass existing scope restrictions and inject the `realm-admin` role into generated tokens, resulting in privilege escalation and full administrative access to the realm.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-266 - Incorrect Privilege Assignment
    Assigner
    References
    URL Tags
    https://access.redhat.com/security/cve/CVE-2026-4629 vdb-entryx_refsource_REDHAT
    https://bugzilla.redhat.com/show_bug.cgi?id=2450244 issue-trackingx_refsource_REDHAT
    Impacted products
    Vendor Product Version
    Red Hat Red Hat Build of Keycloak     cpe:/a:redhat:build_keycloak:
    Create a notification for this product.
    Date Public
    2026-04-20 12:34
    Credits
    Red Hat would like to thank Daniel Peters (Operating Intelligence Inc.), Lior Moshe (Operating Intelligence Inc.), and Uri Rolls (Operating Intelligence Inc.) for reporting this issue.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-4629",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-01T14:26:33.448859Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-01T14:26:59.489Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-rhel9",
              "product": "Red Hat Build of Keycloak",
              "vendor": "Red Hat"
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Red Hat would like to thank Daniel Peters (Operating Intelligence Inc.), Lior Moshe (Operating Intelligence Inc.), and Uri Rolls (Operating Intelligence Inc.) for reporting this issue."
            }
          ],
          "datePublic": "2026-04-20T12:34:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A flaw was found in Keycloak. A highly privileged user with `manage-clients` permission can exploit this vulnerability by injecting a hardcoded role mapper into any client. This action allows the user to bypass existing scope restrictions and inject the `realm-admin` role into generated tokens, resulting in privilege escalation and full administrative access to the realm."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "namespace": "https://access.redhat.com/security/updates/classification/",
                  "value": "Moderate"
                },
                "type": "Red Hat severity rating"
              }
            },
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N",
                "version": "3.1"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-266",
                  "description": "Incorrect Privilege Assignment",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-30T12:00:28.631Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "tags": [
                "vdb-entry",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/security/cve/CVE-2026-4629"
            },
            {
              "name": "RHBZ#2450244",
              "tags": [
                "issue-tracking",
                "x_refsource_REDHAT"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2450244"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-03-23T08:01:10.722Z",
              "value": "Reported to Red Hat."
            },
            {
              "lang": "en",
              "time": "2026-04-20T12:34:00.000Z",
              "value": "Made public."
            }
          ],
          "title": "Keycloak: keycloak: privilege escalation through hardcoded role mapper injection",
          "workarounds": [
            {
              "lang": "en",
              "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."
            }
          ],
          "x_generator": {
            "engine": "cvelib 1.8.0"
          },
          "x_redhatCweChain": "CWE-266: Incorrect Privilege Assignment"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2026-4629",
        "datePublished": "2026-06-30T12:00:28.631Z",
        "dateReserved": "2026-03-23T08:02:49.337Z",
        "dateUpdated": "2026-07-01T14:26:59.489Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-14209 (GCVE-0-2026-14209)

    Vulnerability from cvelistv5 – Published: 2026-06-30 11:48 – Updated: 2026-06-30 18:46
    VLAI
    Title
    Keycloak-admin-ui: keycloak-admin-ui: keycloak: admin ui extension brute-force-user endpoint bypasses fgapv2 user view restrictions
    Summary
    A vulnerability was discovered in Keycloak's Admin UI extension that allows certain administrative users to bypass security restrictions. When Fine-Grained Admin Permissions (FGAPv2) are enabled, an administrator who should only be able to search for users (but not view their full details) can use a specific "brute-force-user" endpoint to access a user's full profile. This includes sensitive information and security metadata. The issue occurs because the system fails to check if the administrator has the required "view" permission for that specific user when using this particular search path.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-639 - Authorization Bypass Through User-Controlled Key
    Assigner
    References
    URL Tags
    https://access.redhat.com/security/cve/CVE-2026-14209 vdb-entryx_refsource_REDHAT
    https://bugzilla.redhat.com/show_bug.cgi?id=2494837 issue-trackingx_refsource_REDHAT
    Impacted products
    Date Public
    2026-06-30 11:08
    Credits
    Red Hat would like to thank Jinyeong Yang for reporting this issue.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-14209",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-30T18:46:23.302478Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-30T18:46:34.501Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:"
              ],
              "defaultStatus": "affected",
              "packageName": "keycloak-admin-ui",
              "product": "Red Hat Build of Keycloak",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-rhel9",
              "product": "Red Hat Build of Keycloak",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk-openshift-rhel9/rhbk-openshift-rhel9",
              "product": "Red Hat Build of Keycloak",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
              "cpes": [
                "cpe:/a:redhat:jbosseapxp"
              ],
              "defaultStatus": "affected",
              "packageName": "keycloak-admin-ui",
              "product": "Red Hat JBoss Enterprise Application Platform Expansion Pack",
              "vendor": "Red Hat"
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Red Hat would like to thank Jinyeong Yang for reporting this issue."
            }
          ],
          "datePublic": "2026-06-30T11:08:07.532Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability was discovered in Keycloak\u0027s Admin UI extension that allows certain administrative users to bypass security restrictions. When Fine-Grained Admin Permissions (FGAPv2) are enabled, an administrator who should only be able to search for users (but not view their full details) can use a specific \"brute-force-user\" endpoint to access a user\u0027s full profile. This includes sensitive information and security metadata. The issue occurs because the system fails to check if the administrator has the required \"view\" permission for that specific user when using this particular search path."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "namespace": "https://access.redhat.com/security/updates/classification/",
                  "value": "Moderate"
                },
                "type": "Red Hat severity rating"
              }
            },
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-639",
                  "description": "Authorization Bypass Through User-Controlled Key",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-30T11:48:26.492Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "tags": [
                "vdb-entry",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/security/cve/CVE-2026-14209"
            },
            {
              "name": "RHBZ#2494837",
              "tags": [
                "issue-tracking",
                "x_refsource_REDHAT"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2494837"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-06-29T20:54:20.000Z",
              "value": "Reported to Red Hat."
            },
            {
              "lang": "en",
              "time": "2026-06-30T11:08:07.532Z",
              "value": "Made public."
            }
          ],
          "title": "Keycloak-admin-ui: keycloak-admin-ui: keycloak: admin ui extension brute-force-user endpoint bypasses fgapv2 user view restrictions",
          "workarounds": [
            {
              "lang": "en",
              "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."
            }
          ],
          "x_generator": {
            "engine": "cvelib 1.8.0"
          },
          "x_redhatCweChain": "CWE-639: Authorization Bypass Through User-Controlled Key"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2026-14209",
        "datePublished": "2026-06-30T11:48:26.492Z",
        "dateReserved": "2026-06-30T10:52:31.949Z",
        "dateUpdated": "2026-06-30T18:46:34.501Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-11800 (GCVE-0-2026-11800)

    Vulnerability from cvelistv5 – Published: 2026-06-25 20:57 – Updated: 2026-06-30 12:06
    VLAI
    Title
    Org.keycloak:keycloak-services: keycloak: authentication bypass via jwt algorithm confusion
    Summary
    A flaw was found in Keycloak. This JWT algorithm confusion vulnerability in the JWT Authorization Grant flow allows an attacker with valid client credentials to bypass signature verification. By forging an assertion, the attacker can create unauthorized access tokens. This enables the attacker to impersonate any federated user linked to the affected Identity Provider, leading to unauthorized access and potential privilege escalation.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-347 - Improper Verification of Cryptographic Signature
    Assigner
    References
    Impacted products
    Vendor Product Version
    Red Hat Red Hat build of Keycloak 26.6 Unaffected: 26.6.4-2 , < * (rpm)
        cpe:/a:redhat:build_keycloak:26.6::el9
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 26.6 Unaffected: 26.6-8 , < * (rpm)
        cpe:/a:redhat:build_keycloak:26.6::el9
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 26.6.4     cpe:/a:redhat:build_keycloak:26.6::el9
    Create a notification for this product.
    Red Hat Red Hat Build of Keycloak     cpe:/a:redhat:build_keycloak:
    Create a notification for this product.
    Red Hat Red Hat Data Grid 8     cpe:/a:redhat:jboss_data_grid:8
    Create a notification for this product.
    Red Hat Red Hat JBoss Enterprise Application Platform Expansion Pack     cpe:/a:redhat:jbosseapxp
    Create a notification for this product.
    Red Hat Red Hat Single Sign-On 7     cpe:/a:redhat:red_hat_single_sign_on:7
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 26.6     cpe:/a:redhat:build_keycloak:26.6::el9
    Create a notification for this product.
    Date Public
    2026-05-29 00:00
    Credits
    Red Hat would like to thank Bilal Teke for reporting this issue.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-11800",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-26T13:03:46.141909Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-26T13:03:54.683Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:/a:redhat:build_keycloak:26.6::el9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat build of Keycloak 26.6",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:build_keycloak:26.6::el9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat build of Keycloak 26.6.4",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:build_keycloak:"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Build of Keycloak",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:jboss_data_grid:8"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Data Grid 8",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:jbosseapxp"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat JBoss Enterprise Application Platform Expansion Pack",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:red_hat_single_sign_on:7"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Single Sign-On 7",
                "vendor": "Red Hat"
              }
            ],
            "datePublic": "2026-05-29T00:00:00.000Z",
            "descriptions": [
              {
                "lang": "en",
                "value": "A flaw was found in Keycloak. This JWT algorithm confusion vulnerability in the JWT Authorization Grant flow allows an attacker with valid client credentials to bypass signature verification. By forging an assertion, the attacker can create unauthorized access tokens. This enables the attacker to impersonate any federated user linked to the affected Identity Provider, leading to unauthorized access and potential privilege escalation."
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "namespace": "https://access.redhat.com/security/updates/classification/",
                    "value": "Important"
                  },
                  "type": "Red Hat severity rating"
                }
              },
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 8.1,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "LOW",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
                  "version": "3.1"
                },
                "format": "CVSS"
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-347",
                    "description": "Improper Verification of Cryptographic Signature",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-30T12:06:54.719Z",
              "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
              "shortName": "redhat-SADP"
            },
            "references": [
              {
                "tags": [
                  "vdb-entry",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/security/cve/CVE-2026-11800"
              },
              {
                "name": "RHBZ#2487006",
                "tags": [
                  "issue-tracking",
                  "x_refsource_REDHAT"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2487006"
              },
              {
                "tags": [
                  "x_sadp-csaf-vex"
                ],
                "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-11800.json"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:30084"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:30083"
              }
            ],
            "solutions": [
              {
                "lang": "en",
                "value": "RHSA-2026:30084: Red Hat build of Keycloak 26.6"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:30083: Red Hat build of Keycloak 26.6.4"
              }
            ],
            "timeline": [
              {
                "lang": "en",
                "time": "2026-06-09T05:06:35.697Z",
                "value": "Reported to Red Hat."
              },
              {
                "lang": "en",
                "time": "2026-05-29T00:00:00.000Z",
                "value": "Made public."
              }
            ],
            "title": "org.keycloak:keycloak-services: Keycloak: Authentication bypass via JWT algorithm confusion",
            "x_adpType": "supplier",
            "x_generator": {
              "engine": "sadp-cli 1.0.0"
            }
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.6::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-operator-bundle",
              "product": "Red Hat build of Keycloak 26.6",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "26.6.4-2",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.6::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-rhel9",
              "product": "Red Hat build of Keycloak 26.6",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "26.6-8",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.6::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-rhel9-operator",
              "product": "Red Hat build of Keycloak 26.6",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "26.6-8",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.6::el9"
              ],
              "defaultStatus": "unaffected",
              "product": "Red Hat build of Keycloak 26.6.4",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-rhel9",
              "product": "Red Hat Build of Keycloak",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:"
              ],
              "defaultStatus": "unaffected",
              "packageName": "rhbk-openshift-rhel9/rhbk-openshift-rhel9",
              "product": "Red Hat Build of Keycloak",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:jboss_data_grid:8"
              ],
              "defaultStatus": "unaffected",
              "packageName": "keycloak-services",
              "product": "Red Hat Data Grid 8",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
              "cpes": [
                "cpe:/a:redhat:jbosseapxp"
              ],
              "defaultStatus": "unaffected",
              "packageName": "keycloak-services",
              "product": "Red Hat JBoss Enterprise Application Platform Expansion Pack",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:red_hat_single_sign_on:7"
              ],
              "defaultStatus": "unaffected",
              "packageName": "keycloak-services",
              "product": "Red Hat Single Sign-On 7",
              "vendor": "Red Hat"
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Red Hat would like to thank Bilal Teke for reporting this issue."
            }
          ],
          "datePublic": "2026-05-29T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A flaw was found in Keycloak. This JWT algorithm confusion vulnerability in the JWT Authorization Grant flow allows an attacker with valid client credentials to bypass signature verification. By forging an assertion, the attacker can create unauthorized access tokens. This enables the attacker to impersonate any federated user linked to the affected Identity Provider, leading to unauthorized access and potential privilege escalation."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "namespace": "https://access.redhat.com/security/updates/classification/",
                  "value": "Important"
                },
                "type": "Red Hat severity rating"
              }
            },
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 8.1,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
                "version": "3.1"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-347",
                  "description": "Improper Verification of Cryptographic Signature",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-25T20:57:05.276Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "name": "RHSA-2026:30083",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2026:30083"
            },
            {
              "name": "RHSA-2026:30084",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2026:30084"
            },
            {
              "tags": [
                "vdb-entry",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/security/cve/CVE-2026-11800"
            },
            {
              "name": "RHBZ#2487006",
              "tags": [
                "issue-tracking",
                "x_refsource_REDHAT"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2487006"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-06-09T05:06:35.697Z",
              "value": "Reported to Red Hat."
            },
            {
              "lang": "en",
              "time": "2026-05-29T00:00:00.000Z",
              "value": "Made public."
            }
          ],
          "title": "Org.keycloak:keycloak-services: keycloak: authentication bypass via jwt algorithm confusion",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          },
          "x_redhatCweChain": "CWE-347: Improper Verification of Cryptographic Signature"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2026-11800",
        "datePublished": "2026-06-25T20:57:05.276Z",
        "dateReserved": "2026-06-09T14:06:04.695Z",
        "dateUpdated": "2026-06-30T12:06:54.719Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-9083 (GCVE-0-2026-9083)

    Vulnerability from cvelistv5 – Published: 2026-06-25 16:17 – Updated: 2026-06-26 06:46
    VLAI
    Title
    Keycloak: keycloak: information disclosure through arbitrary filesystem path probing
    Summary
    A flaw was found in Keycloak. A realm administrator with the "manage-realm" role can exploit this vulnerability by submitting an arbitrary filesystem path as a keystore parameter when creating a key provider component. This allows the administrator to probe arbitrary filesystem paths, determining which files exist and are readable by the Keycloak process. This information disclosure could be used to identify high-value targets for follow-on attacks.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
    Assigner
    References
    URL Tags
    https://access.redhat.com/errata/RHSA-2026:30049 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:30050 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:30083 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:30084 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/security/cve/CVE-2026-9083 vdb-entryx_refsource_REDHAT
    https://bugzilla.redhat.com/show_bug.cgi?id=2480168 issue-trackingx_refsource_REDHAT
    Impacted products
    Vendor Product Version
    Red Hat Red Hat build of Keycloak 26.4 Unaffected: 26.4.13-1 , < * (rpm)
        cpe:/a:redhat:build_keycloak:26.4::el9
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 26.4 Unaffected: 26.4-19 , < * (rpm)
        cpe:/a:redhat:build_keycloak:26.4::el9
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 26.4.13     cpe:/a:redhat:build_keycloak:26.4::el9
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 26.6 Unaffected: 26.6.4-2 , < * (rpm)
        cpe:/a:redhat:build_keycloak:26.6::el9
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 26.6 Unaffected: 26.6-8 , < * (rpm)
        cpe:/a:redhat:build_keycloak:26.6::el9
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 26.6.4     cpe:/a:redhat:build_keycloak:26.6::el9
    Create a notification for this product.
    Date Public
    2026-06-25 15:58
    Credits
    Red Hat would like to thank Swapnil Paliwal & Security Team (AxiomCode) for reporting this issue.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-9083",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-25T17:53:33.860276Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-25T17:53:44.159Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.4::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-operator-bundle",
              "product": "Red Hat build of Keycloak 26.4",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "26.4.13-1",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.4::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-rhel9",
              "product": "Red Hat build of Keycloak 26.4",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "26.4-19",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.4::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-rhel9-operator",
              "product": "Red Hat build of Keycloak 26.4",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "26.4-19",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.4::el9"
              ],
              "defaultStatus": "unaffected",
              "packageName": "rhbk/keycloak-rhel9",
              "product": "Red Hat build of Keycloak 26.4.13",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.6::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-operator-bundle",
              "product": "Red Hat build of Keycloak 26.6",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "26.6.4-2",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.6::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-rhel9",
              "product": "Red Hat build of Keycloak 26.6",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "26.6-8",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.6::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-rhel9-operator",
              "product": "Red Hat build of Keycloak 26.6",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "26.6-8",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.6::el9"
              ],
              "defaultStatus": "unaffected",
              "packageName": "rhbk/keycloak-rhel9",
              "product": "Red Hat build of Keycloak 26.6.4",
              "vendor": "Red Hat"
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Red Hat would like to thank Swapnil Paliwal \u0026 Security Team (AxiomCode) for reporting this issue."
            }
          ],
          "datePublic": "2026-06-25T15:58:16.784Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A flaw was found in Keycloak. A realm administrator with the \"manage-realm\" role can exploit this vulnerability by submitting an arbitrary filesystem path as a keystore parameter when creating a key provider component. This allows the administrator to probe arbitrary filesystem paths, determining which files exist and are readable by the Keycloak process. This information disclosure could be used to identify high-value targets for follow-on attacks."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "namespace": "https://access.redhat.com/security/updates/classification/",
                  "value": "Moderate"
                },
                "type": "Red Hat severity rating"
              }
            },
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.9,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-26T06:46:21.516Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "name": "RHSA-2026:30049",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2026:30049"
            },
            {
              "name": "RHSA-2026:30050",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2026:30050"
            },
            {
              "name": "RHSA-2026:30083",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2026:30083"
            },
            {
              "name": "RHSA-2026:30084",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2026:30084"
            },
            {
              "tags": [
                "vdb-entry",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/security/cve/CVE-2026-9083"
            },
            {
              "name": "RHBZ#2480168",
              "tags": [
                "issue-tracking",
                "x_refsource_REDHAT"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2480168"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-05-20T14:11:24.606Z",
              "value": "Reported to Red Hat."
            },
            {
              "lang": "en",
              "time": "2026-06-25T15:58:16.784Z",
              "value": "Made public."
            }
          ],
          "title": "Keycloak: keycloak: information disclosure through arbitrary filesystem path probing",
          "workarounds": [
            {
              "lang": "en",
              "value": "Ensure that only highly trusted administrators are granted the \"manage-realm\" role within Keycloak. This role provides extensive administrative privileges, including the ability to exploit this vulnerability for filesystem probing. Regularly review and audit users assigned to this role to minimize the attack surface."
            }
          ],
          "x_generator": {
            "engine": "cvelib 1.8.0"
          },
          "x_redhatCweChain": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2026-9083",
        "datePublished": "2026-06-25T16:17:49.969Z",
        "dateReserved": "2026-05-20T14:11:59.940Z",
        "dateUpdated": "2026-06-26T06:46:21.516Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-9799 (GCVE-0-2026-9799)

    Vulnerability from cvelistv5 – Published: 2026-06-25 16:17 – Updated: 2026-06-26 06:46
    VLAI
    Title
    Keycloak: keycloak: unauthorized access to resources via uma permission ticket bypass
    Summary
    A flaw was found in org.keycloak.authorization. An authenticated user with a granted User-Managed Access (UMA) permission ticket for one resource can exploit this by using a specific permission request prefix to bypass per-resource access control. This allows the user to gain unauthorized access to all resources of that type within the same resource server, even if they do not have a ticket for those specific resources. This vulnerability requires the resource server to be configured in PERMISSIVE policy enforcement mode and affects typed resources with ownerManagedAccess enabled, where no explicit policy protects the resource type. The primary consequence is unauthorized information disclosure or modification of resources.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-639 - Authorization Bypass Through User-Controlled Key
    Assigner
    References
    URL Tags
    https://access.redhat.com/errata/RHSA-2026:30049 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:30050 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:30083 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:30084 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/security/cve/CVE-2026-9799 vdb-entryx_refsource_REDHAT
    https://bugzilla.redhat.com/show_bug.cgi?id=2482471 issue-trackingx_refsource_REDHAT
    Impacted products
    Vendor Product Version
    Red Hat Red Hat build of Keycloak 26.4 Unaffected: 26.4.13-1 , < * (rpm)
        cpe:/a:redhat:build_keycloak:26.4::el9
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 26.4 Unaffected: 26.4-19 , < * (rpm)
        cpe:/a:redhat:build_keycloak:26.4::el9
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 26.4.13     cpe:/a:redhat:build_keycloak:26.4::el9
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 26.6 Unaffected: 26.6.4-2 , < * (rpm)
        cpe:/a:redhat:build_keycloak:26.6::el9
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 26.6 Unaffected: 26.6-8 , < * (rpm)
        cpe:/a:redhat:build_keycloak:26.6::el9
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 26.6.4     cpe:/a:redhat:build_keycloak:26.6::el9
    Create a notification for this product.
    Date Public
    2026-05-19 12:34
    Credits
    Red Hat would like to thank Omaroo Baniessa for reporting this issue.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-9799",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-26T02:06:38.303071Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-26T02:06:55.475Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.4::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-operator-bundle",
              "product": "Red Hat build of Keycloak 26.4",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "26.4.13-1",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.4::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-rhel9",
              "product": "Red Hat build of Keycloak 26.4",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "26.4-19",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.4::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-rhel9-operator",
              "product": "Red Hat build of Keycloak 26.4",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "26.4-19",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.4::el9"
              ],
              "defaultStatus": "unaffected",
              "packageName": "rhbk/keycloak-rhel9",
              "product": "Red Hat build of Keycloak 26.4.13",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.6::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-operator-bundle",
              "product": "Red Hat build of Keycloak 26.6",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "26.6.4-2",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.6::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-rhel9",
              "product": "Red Hat build of Keycloak 26.6",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "26.6-8",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.6::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-rhel9-operator",
              "product": "Red Hat build of Keycloak 26.6",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "26.6-8",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.6::el9"
              ],
              "defaultStatus": "unaffected",
              "packageName": "rhbk/keycloak-rhel9",
              "product": "Red Hat build of Keycloak 26.6.4",
              "vendor": "Red Hat"
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Red Hat would like to thank Omaroo Baniessa for reporting this issue."
            }
          ],
          "datePublic": "2026-05-19T12:34:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A flaw was found in org.keycloak.authorization. An authenticated user with a granted User-Managed Access (UMA) permission ticket for one resource can exploit this by using a specific permission request prefix to bypass per-resource access control. This allows the user to gain unauthorized access to all resources of that type within the same resource server, even if they do not have a ticket for those specific resources. This vulnerability requires the resource server to be configured in PERMISSIVE policy enforcement mode and affects typed resources with ownerManagedAccess enabled, where no explicit policy protects the resource type. The primary consequence is unauthorized information disclosure or modification of resources."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "namespace": "https://access.redhat.com/security/updates/classification/",
                  "value": "Moderate"
                },
                "type": "Red Hat severity rating"
              }
            },
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.6,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-639",
                  "description": "Authorization Bypass Through User-Controlled Key",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-26T06:46:38.312Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "name": "RHSA-2026:30049",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2026:30049"
            },
            {
              "name": "RHSA-2026:30050",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2026:30050"
            },
            {
              "name": "RHSA-2026:30083",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2026:30083"
            },
            {
              "name": "RHSA-2026:30084",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2026:30084"
            },
            {
              "tags": [
                "vdb-entry",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/security/cve/CVE-2026-9799"
            },
            {
              "name": "RHBZ#2482471",
              "tags": [
                "issue-tracking",
                "x_refsource_REDHAT"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2482471"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-05-28T03:53:15.687Z",
              "value": "Reported to Red Hat."
            },
            {
              "lang": "en",
              "time": "2026-05-19T12:34:00.000Z",
              "value": "Made public."
            }
          ],
          "title": "Keycloak: keycloak: unauthorized access to resources via uma permission ticket bypass",
          "workarounds": [
            {
              "lang": "en",
              "value": "To mitigate this issue, ensure that the Keycloak client\u0027s policy enforcement mode is set to ENFORCING instead of PERMISSIVE. The PERMISSIVE mode is a non-default configuration that enables the vulnerability. Changing this setting will prevent the unauthorized access to resources of the same type. Consult Keycloak documentation for specific instructions on configuring policy enforcement mode for your client. This change may require a restart or reload of the Keycloak service to take effect and could impact existing authorization policies if not carefully managed."
            }
          ],
          "x_generator": {
            "engine": "cvelib 1.8.0"
          },
          "x_redhatCweChain": "CWE-639: Authorization Bypass Through User-Controlled Key"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2026-9799",
        "datePublished": "2026-06-25T16:17:48.486Z",
        "dateReserved": "2026-05-28T03:53:25.960Z",
        "dateUpdated": "2026-06-26T06:46:38.312Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-9705 (GCVE-0-2026-9705)

    Vulnerability from cvelistv5 – Published: 2026-06-25 16:17 – Updated: 2026-06-29 18:10
    VLAI
    Title
    Keycloak: keycloak: attacker can re-enable and take over disabled clients via registration access token
    Summary
    A flaw was found in Keycloak's client registration service. A remote attacker, possessing a previously issued Registration Access Token (RAT), could exploit this vulnerability to re-enable a client that an administrator had explicitly disabled. This bypasses security controls, allowing the attacker to reset the client's secret and potentially regain privileged API access. The primary impact includes unauthorized information disclosure and potential integrity compromise.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-613 - Insufficient Session Expiration
    Assigner
    References
    URL Tags
    https://access.redhat.com/errata/RHSA-2026:30049 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:30050 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:30083 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:30084 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/security/cve/CVE-2026-9705 vdb-entryx_refsource_REDHAT
    https://bugzilla.redhat.com/show_bug.cgi?id=2481878 issue-trackingx_refsource_REDHAT
    Impacted products
    Vendor Product Version
    Red Hat Red Hat build of Keycloak 26.4 Unaffected: 26.4.13-1 , < * (rpm)
        cpe:/a:redhat:build_keycloak:26.4::el9
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 26.4 Unaffected: 26.4-19 , < * (rpm)
        cpe:/a:redhat:build_keycloak:26.4::el9
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 26.4.13     cpe:/a:redhat:build_keycloak:26.4::el9
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 26.6 Unaffected: 26.6.4-2 , < * (rpm)
        cpe:/a:redhat:build_keycloak:26.6::el9
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 26.6 Unaffected: 26.6-8 , < * (rpm)
        cpe:/a:redhat:build_keycloak:26.6::el9
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 26.6.4     cpe:/a:redhat:build_keycloak:26.6::el9
    Create a notification for this product.
    Date Public
    2026-06-25 15:59
    Credits
    Red Hat would like to thank Qiulin Deng for reporting this issue.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-9705",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-29T18:10:38.249303Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-29T18:10:46.870Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.4::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-operator-bundle",
              "product": "Red Hat build of Keycloak 26.4",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "26.4.13-1",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.4::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-rhel9",
              "product": "Red Hat build of Keycloak 26.4",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "26.4-19",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.4::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-rhel9-operator",
              "product": "Red Hat build of Keycloak 26.4",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "26.4-19",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.4::el9"
              ],
              "defaultStatus": "unaffected",
              "packageName": "rhbk/keycloak-rhel9",
              "product": "Red Hat build of Keycloak 26.4.13",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.6::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-operator-bundle",
              "product": "Red Hat build of Keycloak 26.6",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "26.6.4-2",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.6::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-rhel9",
              "product": "Red Hat build of Keycloak 26.6",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "26.6-8",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.6::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-rhel9-operator",
              "product": "Red Hat build of Keycloak 26.6",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "26.6-8",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.6::el9"
              ],
              "defaultStatus": "unaffected",
              "packageName": "rhbk/keycloak-rhel9",
              "product": "Red Hat build of Keycloak 26.6.4",
              "vendor": "Red Hat"
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Red Hat would like to thank Qiulin Deng for reporting this issue."
            }
          ],
          "datePublic": "2026-06-25T15:59:03.780Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A flaw was found in Keycloak\u0027s client registration service. A remote attacker, possessing a previously issued Registration Access Token (RAT), could exploit this vulnerability to re-enable a client that an administrator had explicitly disabled. This bypasses security controls, allowing the attacker to reset the client\u0027s secret and potentially regain privileged API access. The primary impact includes unauthorized information disclosure and potential integrity compromise."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "namespace": "https://access.redhat.com/security/updates/classification/",
                  "value": "Moderate"
                },
                "type": "Red Hat severity rating"
              }
            },
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-613",
                  "description": "Insufficient Session Expiration",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-26T06:46:29.107Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "name": "RHSA-2026:30049",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2026:30049"
            },
            {
              "name": "RHSA-2026:30050",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2026:30050"
            },
            {
              "name": "RHSA-2026:30083",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2026:30083"
            },
            {
              "name": "RHSA-2026:30084",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2026:30084"
            },
            {
              "tags": [
                "vdb-entry",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/security/cve/CVE-2026-9705"
            },
            {
              "name": "RHBZ#2481878",
              "tags": [
                "issue-tracking",
                "x_refsource_REDHAT"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481878"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-05-27T12:42:28.395Z",
              "value": "Reported to Red Hat."
            },
            {
              "lang": "en",
              "time": "2026-06-25T15:59:03.780Z",
              "value": "Made public."
            }
          ],
          "title": "Keycloak: keycloak: attacker can re-enable and take over disabled clients via registration access token",
          "workarounds": [
            {
              "lang": "en",
              "value": "To mitigate this issue, restrict network access to the Keycloak Dynamic Client Registration endpoint. Configure network firewalls to allow connections only from trusted hosts or networks that legitimately require access to this functionality. This limits the exposure of the vulnerable endpoint to unauthorized access attempts."
            }
          ],
          "x_generator": {
            "engine": "cvelib 1.8.0"
          },
          "x_redhatCweChain": "CWE-613: Insufficient Session Expiration"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2026-9705",
        "datePublished": "2026-06-25T16:17:46.330Z",
        "dateReserved": "2026-05-27T12:48:48.084Z",
        "dateUpdated": "2026-06-29T18:10:46.870Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-9086 (GCVE-0-2026-9086)

    Vulnerability from cvelistv5 – Published: 2026-06-25 16:16 – Updated: 2026-06-30 12:10
    VLAI
    Title
    Keycloak: keycloak: cross-site scripting (xss) via case-insensitive uri validation bypass
    Summary
    A flaw was found in Keycloak. A remote attacker with administrative privileges, specifically those with `manage-client` permission or access to client registration endpoints, could bypass client Uniform Resource Identifier (URI) validation. This is achieved by registering a malicious client with a specially crafted redirect URI using a case-insensitive `javascript:` or `data:` scheme. This Cross-Site Scripting (XSS) vulnerability allows for arbitrary code execution in the Keycloak origin when a victim clicks the crafted link, such as in the logout flow or the Admin Console.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    References
    Impacted products
    Vendor Product Version
    Red Hat Red Hat build of Keycloak 26.4 Unaffected: 26.4.13-1 , < * (rpm)
        cpe:/a:redhat:build_keycloak:26.4::el9
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 26.4 Unaffected: 26.4-19 , < * (rpm)
        cpe:/a:redhat:build_keycloak:26.4::el9
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 26.4.13     cpe:/a:redhat:build_keycloak:26.4::el9
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 26.6 Unaffected: 26.6.4-2 , < * (rpm)
        cpe:/a:redhat:build_keycloak:26.6::el9
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 26.6 Unaffected: 26.6-8 , < * (rpm)
        cpe:/a:redhat:build_keycloak:26.6::el9
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 26.6.4     cpe:/a:redhat:build_keycloak:26.6::el9
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 26.4     cpe:/a:redhat:build_keycloak:26.4::el9
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 26.6     cpe:/a:redhat:build_keycloak:26.6::el9
    Create a notification for this product.
    Date Public
    2026-06-25 15:58
    Credits
    Red Hat would like to thank saku0512 for reporting this issue.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-9086",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-25T17:59:48.293762Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-25T17:59:57.632Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:/a:redhat:build_keycloak:26.4::el9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat build of Keycloak 26.4",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:build_keycloak:26.6::el9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat build of Keycloak 26.6",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:build_keycloak:26.4::el9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat build of Keycloak 26.4.13",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:build_keycloak:26.6::el9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat build of Keycloak 26.6.4",
                "vendor": "Red Hat"
              }
            ],
            "datePublic": "2026-06-25T15:58:33.359Z",
            "descriptions": [
              {
                "lang": "en",
                "value": "A flaw was found in Keycloak. A remote attacker with administrative privileges, specifically those with `manage-client` permission or access to client registration endpoints, could bypass client Uniform Resource Identifier (URI) validation. This is achieved by registering a malicious client with a specially crafted redirect URI using a case-insensitive `javascript:` or `data:` scheme. This Cross-Site Scripting (XSS) vulnerability allows for arbitrary code execution in the Keycloak origin when a victim clicks the crafted link, such as in the logout flow or the Admin Console."
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "namespace": "https://access.redhat.com/security/updates/classification/",
                    "value": "Important"
                  },
                  "type": "Red Hat severity rating"
                }
              },
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 7.3,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "LOW",
                  "scope": "UNCHANGED",
                  "userInteraction": "REQUIRED",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
                  "version": "3.1"
                },
                "format": "CVSS"
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-79",
                    "description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-30T12:10:51.779Z",
              "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
              "shortName": "redhat-SADP"
            },
            "references": [
              {
                "tags": [
                  "vdb-entry",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/security/cve/CVE-2026-9086"
              },
              {
                "name": "RHBZ#2480170",
                "tags": [
                  "issue-tracking",
                  "x_refsource_REDHAT"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2480170"
              },
              {
                "tags": [
                  "x_sadp-csaf-vex"
                ],
                "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-9086.json"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:30050"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:30084"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:30049"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:30083"
              }
            ],
            "solutions": [
              {
                "lang": "en",
                "value": "RHSA-2026:30050: Red Hat build of Keycloak 26.4"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:30084: Red Hat build of Keycloak 26.6"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:30049: Red Hat build of Keycloak 26.4.13"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:30083: Red Hat build of Keycloak 26.6.4"
              }
            ],
            "timeline": [
              {
                "lang": "en",
                "time": "2026-05-20T14:43:55.195Z",
                "value": "Reported to Red Hat."
              },
              {
                "lang": "en",
                "time": "2026-06-25T15:58:33.359Z",
                "value": "Made public."
              }
            ],
            "title": "keycloak: Keycloak: Cross-site scripting (XSS) via case-insensitive URI validation bypass",
            "workarounds": [
              {
                "lang": "en",
                "value": "To mitigate this vulnerability, restrict the ability to register new clients and manage existing client configurations. If Dynamic Client Registration is not required, disable it in Keycloak\u0027s Realm Settings under Client Registration Policies. If Dynamic Client Registration is necessary, ensure that policies are strictly configured to prevent anonymous client registration and require initial access tokens for all client registrations. Additionally, limit the `manage-client` role to only trusted administrators. Changes to Keycloak configuration may require a service restart or redeployment to take effect."
              }
            ],
            "x_adpType": "supplier",
            "x_generator": {
              "engine": "sadp-cli 1.0.0"
            }
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.4::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-operator-bundle",
              "product": "Red Hat build of Keycloak 26.4",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "26.4.13-1",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.4::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-rhel9",
              "product": "Red Hat build of Keycloak 26.4",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "26.4-19",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.4::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-rhel9-operator",
              "product": "Red Hat build of Keycloak 26.4",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "26.4-19",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.4::el9"
              ],
              "defaultStatus": "unaffected",
              "packageName": "rhbk/keycloak-rhel9",
              "product": "Red Hat build of Keycloak 26.4.13",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.6::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-operator-bundle",
              "product": "Red Hat build of Keycloak 26.6",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "26.6.4-2",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.6::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-rhel9",
              "product": "Red Hat build of Keycloak 26.6",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "26.6-8",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.6::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-rhel9-operator",
              "product": "Red Hat build of Keycloak 26.6",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "26.6-8",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.6::el9"
              ],
              "defaultStatus": "unaffected",
              "packageName": "rhbk/keycloak-rhel9",
              "product": "Red Hat build of Keycloak 26.6.4",
              "vendor": "Red Hat"
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Red Hat would like to thank saku0512 for reporting this issue."
            }
          ],
          "datePublic": "2026-06-25T15:58:33.359Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A flaw was found in Keycloak. A remote attacker with administrative privileges, specifically those with `manage-client` permission or access to client registration endpoints, could bypass client Uniform Resource Identifier (URI) validation. This is achieved by registering a malicious client with a specially crafted redirect URI using a case-insensitive `javascript:` or `data:` scheme. This Cross-Site Scripting (XSS) vulnerability allows for arbitrary code execution in the Keycloak origin when a victim clicks the crafted link, such as in the logout flow or the Admin Console."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "namespace": "https://access.redhat.com/security/updates/classification/",
                  "value": "Important"
                },
                "type": "Red Hat severity rating"
              }
            },
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.3,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
                "version": "3.1"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-26T06:26:53.231Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "name": "RHSA-2026:30049",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2026:30049"
            },
            {
              "name": "RHSA-2026:30050",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2026:30050"
            },
            {
              "name": "RHSA-2026:30083",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2026:30083"
            },
            {
              "name": "RHSA-2026:30084",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2026:30084"
            },
            {
              "tags": [
                "vdb-entry",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/security/cve/CVE-2026-9086"
            },
            {
              "name": "RHBZ#2480170",
              "tags": [
                "issue-tracking",
                "x_refsource_REDHAT"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2480170"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-05-20T14:43:55.195Z",
              "value": "Reported to Red Hat."
            },
            {
              "lang": "en",
              "time": "2026-06-25T15:58:33.359Z",
              "value": "Made public."
            }
          ],
          "title": "Keycloak: keycloak: cross-site scripting (xss) via case-insensitive uri validation bypass",
          "workarounds": [
            {
              "lang": "en",
              "value": "To mitigate this vulnerability, restrict the ability to register new clients and manage existing client configurations. If Dynamic Client Registration is not required, disable it in Keycloak\u0027s Realm Settings under Client Registration Policies. If Dynamic Client Registration is necessary, ensure that policies are strictly configured to prevent anonymous client registration and require initial access tokens for all client registrations. Additionally, limit the `manage-client` role to only trusted administrators. Changes to Keycloak configuration may require a service restart or redeployment to take effect."
            }
          ],
          "x_generator": {
            "engine": "cvelib 1.8.0"
          },
          "x_redhatCweChain": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2026-9086",
        "datePublished": "2026-06-25T16:16:46.017Z",
        "dateReserved": "2026-05-20T14:44:12.702Z",
        "dateUpdated": "2026-06-30T12:10:51.779Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-9099 (GCVE-0-2026-9099)

    Vulnerability from cvelistv5 – Published: 2026-06-25 16:16 – Updated: 2026-06-30 12:10
    VLAI
    Title
    Keycloak: group-admin escalation to realm-admin
    Summary
    A flaw was found in Keycloak. A missing authorization check in the GroupResource.addChild() endpoint within the Admin REST API allows an authenticated user with limited administrative privileges to reparent any existing group. When Fine-Grained Admin Permissions v2 (FGAPv2) is enabled, an attacker with management rights over a single low-privilege group can reparent a highly privileged group (such as one possessing the realm-admin role) under their managed group. Because group permissions follow a hierarchical structure, this action unauthorizedly grants the attacker management and password-reset capabilities over the members of the targeted privileged group. An attacker can exploit this to reset an administrator's password, compromise the account, and achieve a full realm takeover, leading to a complete compromise of confidentiality, integrity, and availability.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-639 - Authorization Bypass Through User-Controlled Key
    Assigner
    References
    Impacted products
    Vendor Product Version
    Red Hat Red Hat build of Keycloak 26.4 Unaffected: 26.4.13-1 , < * (rpm)
        cpe:/a:redhat:build_keycloak:26.4::el9
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 26.4 Unaffected: 26.4-19 , < * (rpm)
        cpe:/a:redhat:build_keycloak:26.4::el9
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 26.4.13     cpe:/a:redhat:build_keycloak:26.4::el9
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 26.6 Unaffected: 26.6.4-2 , < * (rpm)
        cpe:/a:redhat:build_keycloak:26.6::el9
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 26.6 Unaffected: 26.6-8 , < * (rpm)
        cpe:/a:redhat:build_keycloak:26.6::el9
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 26.6.4     cpe:/a:redhat:build_keycloak:26.6::el9
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 26.4     cpe:/a:redhat:build_keycloak:26.4::el9
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 26.6     cpe:/a:redhat:build_keycloak:26.6::el9
    Create a notification for this product.
    Date Public
    2026-06-25 15:58
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-9099",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-25T20:25:31.782558Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-25T20:26:06.600Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:/a:redhat:build_keycloak:26.4::el9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat build of Keycloak 26.4",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:build_keycloak:26.6::el9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat build of Keycloak 26.6",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:build_keycloak:26.4::el9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat build of Keycloak 26.4.13",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:build_keycloak:26.6::el9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat build of Keycloak 26.6.4",
                "vendor": "Red Hat"
              }
            ],
            "datePublic": "2026-06-25T15:58:51.884Z",
            "descriptions": [
              {
                "lang": "en",
                "value": "A flaw was found in Keycloak. A missing authorization check in the GroupResource.addChild() endpoint within the Admin REST API allows an authenticated user with limited administrative privileges to reparent any existing group. When Fine-Grained Admin Permissions v2 (FGAPv2) is enabled, an attacker with management rights over a single low-privilege group can reparent a highly privileged group (such as one possessing the realm-admin role) under their managed group.\n\nBecause group permissions follow a hierarchical structure, this action unauthorizedly grants the attacker management and password-reset capabilities over the members of the targeted privileged group. An attacker can exploit this to reset an administrator\u0027s password, compromise the account, and achieve a full realm takeover, leading to a complete compromise of confidentiality, integrity, and availability."
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "namespace": "https://access.redhat.com/security/updates/classification/",
                    "value": "Important"
                  },
                  "type": "Red Hat severity rating"
                }
              },
              {
                "cvssV3_1": {
                  "attackComplexity": "HIGH",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 7.7,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "HIGH",
                  "scope": "CHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:N",
                  "version": "3.1"
                },
                "format": "CVSS"
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-639",
                    "description": "Authorization Bypass Through User-Controlled Key",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-30T12:10:50.907Z",
              "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
              "shortName": "redhat-SADP"
            },
            "references": [
              {
                "tags": [
                  "vdb-entry",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/security/cve/CVE-2026-9099"
              },
              {
                "name": "RHBZ#2480182",
                "tags": [
                  "issue-tracking",
                  "x_refsource_REDHAT"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2480182"
              },
              {
                "tags": [
                  "x_sadp-csaf-vex"
                ],
                "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-9099.json"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:30050"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:30084"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:30049"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:30083"
              }
            ],
            "solutions": [
              {
                "lang": "en",
                "value": "RHSA-2026:30050: Red Hat build of Keycloak 26.4"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:30084: Red Hat build of Keycloak 26.6"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:30049: Red Hat build of Keycloak 26.4.13"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:30083: Red Hat build of Keycloak 26.6.4"
              }
            ],
            "timeline": [
              {
                "lang": "en",
                "time": "2026-05-20T15:05:54.381Z",
                "value": "Reported to Red Hat."
              },
              {
                "lang": "en",
                "time": "2026-06-25T15:58:51.884Z",
                "value": "Made public."
              }
            ],
            "title": "keycloak: Group-Admin Escalation to Realm-Admin",
            "workarounds": [
              {
                "lang": "en",
                "value": "To mitigate this issue, restrict network access to the Keycloak Admin REST API to only trusted networks or localhost. This limits the attack surface by preventing unauthorized access to the API endpoints required for exploitation. Consult your network security documentation for specific firewall or network access control configurations. This may impact remote administration capabilities."
              }
            ],
            "x_adpType": "supplier",
            "x_generator": {
              "engine": "sadp-cli 1.0.0"
            }
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.4::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-operator-bundle",
              "product": "Red Hat build of Keycloak 26.4",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "26.4.13-1",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.4::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-rhel9",
              "product": "Red Hat build of Keycloak 26.4",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "26.4-19",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.4::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-rhel9-operator",
              "product": "Red Hat build of Keycloak 26.4",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "26.4-19",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.4::el9"
              ],
              "defaultStatus": "unaffected",
              "packageName": "rhbk/keycloak-rhel9",
              "product": "Red Hat build of Keycloak 26.4.13",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.6::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-operator-bundle",
              "product": "Red Hat build of Keycloak 26.6",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "26.6.4-2",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.6::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-rhel9",
              "product": "Red Hat build of Keycloak 26.6",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "26.6-8",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.6::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-rhel9-operator",
              "product": "Red Hat build of Keycloak 26.6",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "26.6-8",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.6::el9"
              ],
              "defaultStatus": "unaffected",
              "packageName": "rhbk/keycloak-rhel9",
              "product": "Red Hat build of Keycloak 26.6.4",
              "vendor": "Red Hat"
            }
          ],
          "datePublic": "2026-06-25T15:58:51.884Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A flaw was found in Keycloak. A missing authorization check in the GroupResource.addChild() endpoint within the Admin REST API allows an authenticated user with limited administrative privileges to reparent any existing group. When Fine-Grained Admin Permissions v2 (FGAPv2) is enabled, an attacker with management rights over a single low-privilege group can reparent a highly privileged group (such as one possessing the realm-admin role) under their managed group.\n\nBecause group permissions follow a hierarchical structure, this action unauthorizedly grants the attacker management and password-reset capabilities over the members of the targeted privileged group. An attacker can exploit this to reset an administrator\u0027s password, compromise the account, and achieve a full realm takeover, leading to a complete compromise of confidentiality, integrity, and availability."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "namespace": "https://access.redhat.com/security/updates/classification/",
                  "value": "Important"
                },
                "type": "Red Hat severity rating"
              }
            },
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.7,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:N",
                "version": "3.1"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-639",
                  "description": "Authorization Bypass Through User-Controlled Key",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-26T06:26:57.094Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "name": "RHSA-2026:30049",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2026:30049"
            },
            {
              "name": "RHSA-2026:30050",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2026:30050"
            },
            {
              "name": "RHSA-2026:30083",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2026:30083"
            },
            {
              "name": "RHSA-2026:30084",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2026:30084"
            },
            {
              "tags": [
                "vdb-entry",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/security/cve/CVE-2026-9099"
            },
            {
              "name": "RHBZ#2480182",
              "tags": [
                "issue-tracking",
                "x_refsource_REDHAT"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2480182"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-05-20T15:05:54.381Z",
              "value": "Reported to Red Hat."
            },
            {
              "lang": "en",
              "time": "2026-06-25T15:58:51.884Z",
              "value": "Made public."
            }
          ],
          "title": "Keycloak: group-admin escalation to realm-admin",
          "workarounds": [
            {
              "lang": "en",
              "value": "To mitigate this issue, restrict network access to the Keycloak Admin REST API to only trusted networks or localhost. This limits the attack surface by preventing unauthorized access to the API endpoints required for exploitation. Consult your network security documentation for specific firewall or network access control configurations. This may impact remote administration capabilities."
            }
          ],
          "x_generator": {
            "engine": "cvelib 1.8.0"
          },
          "x_redhatCweChain": "CWE-639: Authorization Bypass Through User-Controlled Key"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2026-9099",
        "datePublished": "2026-06-25T16:16:43.604Z",
        "dateReserved": "2026-05-20T15:12:25.740Z",
        "dateUpdated": "2026-06-30T12:10:50.907Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-9800 (GCVE-0-2026-9800)

    Vulnerability from cvelistv5 – Published: 2026-06-25 16:16 – Updated: 2026-06-30 12:10
    VLAI
    Title
    Keycloak: keycloak policy enforcer: authorization bypass via incorrect uri comparison
    Summary
    A flaw was found in Keycloak Policy Enforcer. This vulnerability allows any authenticated user to bypass all authorization policies, including role, scope, and User-Managed Access (UMA) permission checks. By including the configured access-denied page path within a request URL, either as a path segment or a query parameter, an attacker can gain unauthorized access to protected resources.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-1025 - Comparison Using Wrong Factors
    Assigner
    References
    Impacted products
    Vendor Product Version
    Red Hat Red Hat build of Keycloak 26.4 Unaffected: 26.4.13-1 , < * (rpm)
        cpe:/a:redhat:build_keycloak:26.4::el9
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 26.4 Unaffected: 26.4-19 , < * (rpm)
        cpe:/a:redhat:build_keycloak:26.4::el9
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 26.4.13     cpe:/a:redhat:build_keycloak:26.4::el9
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 26.6 Unaffected: 26.6.4-2 , < * (rpm)
        cpe:/a:redhat:build_keycloak:26.6::el9
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 26.6 Unaffected: 26.6-8 , < * (rpm)
        cpe:/a:redhat:build_keycloak:26.6::el9
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 26.6.4     cpe:/a:redhat:build_keycloak:26.6::el9
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 26.4     cpe:/a:redhat:build_keycloak:26.4::el9
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 26.6     cpe:/a:redhat:build_keycloak:26.6::el9
    Create a notification for this product.
    Date Public
    2026-05-19 00:00
    Credits
    Red Hat would like to thank Bas Levering for reporting this issue.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-9800",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-25T17:27:58.852057Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-25T17:29:38.796Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:/a:redhat:build_keycloak:26.4::el9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat build of Keycloak 26.4",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:build_keycloak:26.6::el9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat build of Keycloak 26.6",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:build_keycloak:26.4::el9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat build of Keycloak 26.4.13",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:build_keycloak:26.6::el9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat build of Keycloak 26.6.4",
                "vendor": "Red Hat"
              }
            ],
            "datePublic": "2026-05-19T00:00:00.000Z",
            "descriptions": [
              {
                "lang": "en",
                "value": "A flaw was found in Keycloak Policy Enforcer. This vulnerability allows any authenticated user to bypass all authorization policies, including role, scope, and User-Managed Access (UMA) permission checks. By including the configured access-denied page path within a request URL, either as a path segment or a query parameter, an attacker can gain unauthorized access to protected resources."
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "namespace": "https://access.redhat.com/security/updates/classification/",
                    "value": "Important"
                  },
                  "type": "Red Hat severity rating"
                }
              },
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 8.1,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "LOW",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
                  "version": "3.1"
                },
                "format": "CVSS"
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-1025",
                    "description": "Comparison Using Wrong Factors",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-30T12:10:49.545Z",
              "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
              "shortName": "redhat-SADP"
            },
            "references": [
              {
                "tags": [
                  "vdb-entry",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/security/cve/CVE-2026-9800"
              },
              {
                "name": "RHBZ#2482472",
                "tags": [
                  "issue-tracking",
                  "x_refsource_REDHAT"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2482472"
              },
              {
                "tags": [
                  "x_sadp-csaf-vex"
                ],
                "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-9800.json"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:30050"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:30084"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:30049"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:30083"
              }
            ],
            "solutions": [
              {
                "lang": "en",
                "value": "RHSA-2026:30050: Red Hat build of Keycloak 26.4"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:30084: Red Hat build of Keycloak 26.6"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:30049: Red Hat build of Keycloak 26.4.13"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:30083: Red Hat build of Keycloak 26.6.4"
              }
            ],
            "timeline": [
              {
                "lang": "en",
                "time": "2026-05-28T03:57:56.111Z",
                "value": "Reported to Red Hat."
              },
              {
                "lang": "en",
                "time": "2026-05-19T00:00:00.000Z",
                "value": "Made public."
              }
            ],
            "title": "keycloak: Keycloak Policy Enforcer: Authorization bypass via incorrect URI comparison",
            "workarounds": [
              {
                "lang": "en",
                "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."
              }
            ],
            "x_adpType": "supplier",
            "x_generator": {
              "engine": "sadp-cli 1.0.0"
            }
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.4::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-operator-bundle",
              "product": "Red Hat build of Keycloak 26.4",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "26.4.13-1",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.4::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-rhel9",
              "product": "Red Hat build of Keycloak 26.4",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "26.4-19",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.4::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-rhel9-operator",
              "product": "Red Hat build of Keycloak 26.4",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "26.4-19",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.4::el9"
              ],
              "defaultStatus": "unaffected",
              "packageName": "rhbk/keycloak-rhel9",
              "product": "Red Hat build of Keycloak 26.4.13",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.6::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-operator-bundle",
              "product": "Red Hat build of Keycloak 26.6",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "26.6.4-2",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.6::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-rhel9",
              "product": "Red Hat build of Keycloak 26.6",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "26.6-8",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.6::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-rhel9-operator",
              "product": "Red Hat build of Keycloak 26.6",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "26.6-8",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.6::el9"
              ],
              "defaultStatus": "unaffected",
              "packageName": "rhbk/keycloak-rhel9",
              "product": "Red Hat build of Keycloak 26.6.4",
              "vendor": "Red Hat"
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Red Hat would like to thank Bas Levering for reporting this issue."
            }
          ],
          "datePublic": "2026-05-19T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A flaw was found in Keycloak Policy Enforcer. This vulnerability allows any authenticated user to bypass all authorization policies, including role, scope, and User-Managed Access (UMA) permission checks. By including the configured access-denied page path within a request URL, either as a path segment or a query parameter, an attacker can gain unauthorized access to protected resources."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "namespace": "https://access.redhat.com/security/updates/classification/",
                  "value": "Important"
                },
                "type": "Red Hat severity rating"
              }
            },
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 8.1,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
                "version": "3.1"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-1025",
                  "description": "Comparison Using Wrong Factors",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-26T06:26:58.221Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "name": "RHSA-2026:30049",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2026:30049"
            },
            {
              "name": "RHSA-2026:30050",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2026:30050"
            },
            {
              "name": "RHSA-2026:30083",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2026:30083"
            },
            {
              "name": "RHSA-2026:30084",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2026:30084"
            },
            {
              "tags": [
                "vdb-entry",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/security/cve/CVE-2026-9800"
            },
            {
              "name": "RHBZ#2482472",
              "tags": [
                "issue-tracking",
                "x_refsource_REDHAT"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2482472"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-05-28T03:57:56.111Z",
              "value": "Reported to Red Hat."
            },
            {
              "lang": "en",
              "time": "2026-05-19T00:00:00.000Z",
              "value": "Made public."
            }
          ],
          "title": "Keycloak: keycloak policy enforcer: authorization bypass via incorrect uri comparison",
          "workarounds": [
            {
              "lang": "en",
              "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."
            }
          ],
          "x_generator": {
            "engine": "cvelib 1.8.0"
          },
          "x_redhatCweChain": "CWE-1025: Comparison Using Wrong Factors"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2026-9800",
        "datePublished": "2026-06-25T16:16:27.069Z",
        "dateReserved": "2026-05-28T04:00:06.454Z",
        "dateUpdated": "2026-06-30T12:10:49.545Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-11986 (GCVE-0-2026-11986)

    Vulnerability from cvelistv5 – Published: 2026-06-11 16:47 – Updated: 2026-06-11 18:50
    VLAI
    Title
    Keycloak-rest-admin-ui-ext: authorization bypass vulnerability in the admin-ui-ext bulk role-mapping-delete endpoints of keycloak
    Summary
    A flaw was found in the admin-ui-ext component of Keycloak, which provides extended administrative user interface capabilities. The issue occurs because certain bulk role-removal endpoints fail to perform granular permission checks when deleting role mappings. This allows a delegated administrator with limited permissions to remove highly privileged roles from other users or groups, potentially disrupting administrative access control.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-425 - Direct Request ('Forced Browsing')
    Assigner
    References
    URL Tags
    https://access.redhat.com/security/cve/CVE-2026-11986 vdb-entryx_refsource_REDHAT
    https://bugzilla.redhat.com/show_bug.cgi?id=2487906 issue-trackingx_refsource_REDHAT
    Impacted products
    Date Public
    2026-06-11 14:17
    Credits
    Red Hat would like to thank Wesley "Alardiians" Colquitt (Byteshyft Studios) for reporting this issue.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-11986",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-11T18:49:43.250186Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-11T18:50:30.698Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:"
              ],
              "defaultStatus": "affected",
              "packageName": "keycloak-rest-admin-ui-ext",
              "product": "Red Hat Build of Keycloak",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-rhel9",
              "product": "Red Hat Build of Keycloak",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk-openshift-rhel9/rhbk-openshift-rhel9",
              "product": "Red Hat Build of Keycloak",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
              "cpes": [
                "cpe:/a:redhat:jbosseapxp"
              ],
              "defaultStatus": "unaffected",
              "packageName": "keycloak-rest-admin-ui-ext",
              "product": "Red Hat JBoss Enterprise Application Platform Expansion Pack",
              "vendor": "Red Hat"
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Red Hat would like to thank Wesley \"Alardiians\" Colquitt (Byteshyft Studios) for reporting this issue."
            }
          ],
          "datePublic": "2026-06-11T14:17:32.078Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A flaw was found in the admin-ui-ext component of Keycloak, which provides extended administrative user interface capabilities. The issue occurs because certain bulk role-removal endpoints fail to perform granular permission checks when deleting role mappings. This allows a delegated administrator with limited permissions to remove highly privileged roles from other users or groups, potentially disrupting administrative access control."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "namespace": "https://access.redhat.com/security/updates/classification/",
                  "value": "Moderate"
                },
                "type": "Red Hat severity rating"
              }
            },
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.9,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N",
                "version": "3.1"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-425",
                  "description": "Direct Request (\u0027Forced Browsing\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-11T16:47:11.862Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "tags": [
                "vdb-entry",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/security/cve/CVE-2026-11986"
            },
            {
              "name": "RHBZ#2487906",
              "tags": [
                "issue-tracking",
                "x_refsource_REDHAT"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2487906"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-06-08T18:22:02.000Z",
              "value": "Reported to Red Hat."
            },
            {
              "lang": "en",
              "time": "2026-06-11T14:17:32.078Z",
              "value": "Made public."
            }
          ],
          "title": "Keycloak-rest-admin-ui-ext: authorization bypass vulnerability in the admin-ui-ext bulk role-mapping-delete endpoints of keycloak",
          "workarounds": [
            {
              "lang": "en",
              "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."
            }
          ],
          "x_generator": {
            "engine": "cvelib 1.8.0"
          },
          "x_redhatCweChain": "CWE-425: Direct Request (\u0027Forced Browsing\u0027)"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2026-11986",
        "datePublished": "2026-06-11T16:47:11.862Z",
        "dateReserved": "2026-06-11T14:18:10.409Z",
        "dateUpdated": "2026-06-11T18:50:30.698Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-11577 (GCVE-0-2026-11577)

    Vulnerability from cvelistv5 – Published: 2026-06-08 11:44 – Updated: 2026-06-30 12:06
    VLAI
    Title
    Keycloak: keycloak: privilege escalation via partialimport fgap permission bypass
    Summary
    A flaw was found in Keycloak. A limited administrator can exploit an improper access control vulnerability in the POST /admin/realms/{realm}/partialImport endpoint. This allows them to bypass Fine-Grained Admin Permissions (FGAP) and escalate their privileges to a full realm administrator by importing users with realm-admin role mappings.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-863 - Incorrect Authorization
    Assigner
    Impacted products
    Date Public
    2026-06-08 00:00
    Credits
    Red Hat would like to thank Andrii Ilin (10Guards) for reporting this issue.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-11577",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-09T18:38:26.079653Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-09T18:38:42.517Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/keycloak/keycloak/issues/9387"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:/a:redhat:build_keycloak:"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Build of Keycloak",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:red_hat_single_sign_on:7"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Single Sign-On 7",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:jboss_data_grid:8"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Data Grid 8",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:jboss_enterprise_application_platform:8"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat JBoss Enterprise Application Platform 8",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:jbosseapxp"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat JBoss Enterprise Application Platform Expansion Pack",
                "vendor": "Red Hat"
              }
            ],
            "datePublic": "2026-06-08T00:00:00.000Z",
            "descriptions": [
              {
                "lang": "en",
                "value": "A flaw was found in Keycloak. A limited administrator can exploit an improper access control vulnerability in the POST /admin/realms/{realm}/partialImport endpoint. This allows them to bypass Fine-Grained Admin Permissions (FGAP) and escalate their privileges to a full realm administrator by importing users with realm-admin role mappings."
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "namespace": "https://access.redhat.com/security/updates/classification/",
                    "value": "Important"
                  },
                  "type": "Red Hat severity rating"
                }
              },
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 7.2,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "HIGH",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
                  "version": "3.1"
                },
                "format": "CVSS"
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-863",
                    "description": "Incorrect Authorization",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-30T12:06:54.992Z",
              "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
              "shortName": "redhat-SADP"
            },
            "references": [
              {
                "tags": [
                  "vdb-entry",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/security/cve/CVE-2026-11577"
              },
              {
                "name": "RHBZ#2459993",
                "tags": [
                  "issue-tracking",
                  "x_refsource_REDHAT"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2459993"
              },
              {
                "tags": [
                  "x_sadp-csaf-vex"
                ],
                "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-11577.json"
              }
            ],
            "timeline": [
              {
                "lang": "en",
                "time": "2026-04-18T00:00:00.000Z",
                "value": "Reported to Red Hat."
              },
              {
                "lang": "en",
                "time": "2026-06-08T00:00:00.000Z",
                "value": "Made public."
              }
            ],
            "title": "keycloak: keycloak: privilege escalation via partialImport FGAP permission bypass",
            "workarounds": [
              {
                "lang": "en",
                "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."
              }
            ],
            "x_adpType": "supplier",
            "x_generator": {
              "engine": "sadp-cli 1.0.0"
            }
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:"
              ],
              "defaultStatus": "affected",
              "packageName": "keycloak-services",
              "product": "Red Hat Build of Keycloak",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:jboss_data_grid:8"
              ],
              "defaultStatus": "unaffected",
              "packageName": "keycloak-services",
              "product": "Red Hat Data Grid 8",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
              "cpes": [
                "cpe:/a:redhat:jboss_enterprise_application_platform:8"
              ],
              "defaultStatus": "unaffected",
              "packageName": "keycloak-services",
              "product": "Red Hat JBoss Enterprise Application Platform 8",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
              "cpes": [
                "cpe:/a:redhat:jbosseapxp"
              ],
              "defaultStatus": "unaffected",
              "packageName": "keycloak-services",
              "product": "Red Hat JBoss Enterprise Application Platform Expansion Pack",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:red_hat_single_sign_on:7"
              ],
              "defaultStatus": "unknown",
              "packageName": "keycloak-services",
              "product": "Red Hat Single Sign-On 7",
              "vendor": "Red Hat"
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Red Hat would like to thank Andrii Ilin (10Guards) for reporting this issue."
            }
          ],
          "datePublic": "2026-06-08T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A flaw was found in Keycloak. A limited administrator can exploit an improper access control vulnerability in the POST /admin/realms/{realm}/partialImport endpoint. This allows them to bypass Fine-Grained Admin Permissions (FGAP) and escalate their privileges to a full realm administrator by importing users with realm-admin role mappings."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "namespace": "https://access.redhat.com/security/updates/classification/",
                  "value": "Important"
                },
                "type": "Red Hat severity rating"
              }
            },
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.2,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-863",
                  "description": "Incorrect Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-16T07:32:45.088Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "tags": [
                "vdb-entry",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/security/cve/CVE-2026-11577"
            },
            {
              "name": "RHBZ#2459993",
              "tags": [
                "issue-tracking",
                "x_refsource_REDHAT"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2459993"
            },
            {
              "url": "https://github.com/keycloak/keycloak/issues/9387"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-04-18T00:00:00.000Z",
              "value": "Reported to Red Hat."
            },
            {
              "lang": "en",
              "time": "2026-06-08T00:00:00.000Z",
              "value": "Made public."
            }
          ],
          "title": "Keycloak: keycloak: privilege escalation via partialimport fgap permission bypass",
          "workarounds": [
            {
              "lang": "en",
              "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."
            }
          ],
          "x_generator": {
            "engine": "cvelib 1.8.0"
          },
          "x_redhatCweChain": "CWE-863: Incorrect Authorization"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2026-11577",
        "datePublished": "2026-06-08T11:44:41.892Z",
        "dateReserved": "2026-06-08T11:34:22.437Z",
        "dateUpdated": "2026-06-30T12:06:54.992Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-9088 (GCVE-0-2026-9088)

    Vulnerability from cvelistv5 – Published: 2026-06-05 07:52 – Updated: 2026-06-26 07:01
    VLAI
    Title
    Keycloak: keycloak: information disclosure due to user profile permission bypass
    Summary
    A flaw was found in org.keycloak.services. An administrator with delegated access to read group memberships and users can bypass user profile permissions by accessing the group members endpoint. This allows the administrator to view user attributes that are explicitly configured to be denied, leading to information disclosure.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-1220 - Insufficient Granularity of Access Control
    Assigner
    References
    URL Tags
    https://access.redhat.com/errata/RHSA-2026:25097 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:25098 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:30049 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:30050 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/security/cve/CVE-2026-9088 vdb-entryx_refsource_REDHAT
    https://bugzilla.redhat.com/show_bug.cgi?id=2480179 issue-trackingx_refsource_REDHAT
    Impacted products
    Vendor Product Version
    Red Hat Red Hat build of Keycloak 26.4 Unaffected: 26.4.13-1 , < * (rpm)
        cpe:/a:redhat:build_keycloak:26.4::el9
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 26.4 Unaffected: 26.4-19 , < * (rpm)
        cpe:/a:redhat:build_keycloak:26.4::el9
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 26.4.13     cpe:/a:redhat:build_keycloak:26.4::el9
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 26.6 Unaffected: 26.6.3-3 , < * (rpm)
        cpe:/a:redhat:build_keycloak:26.6::el9
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 26.6 Unaffected: 26.6-6 , < * (rpm)
        cpe:/a:redhat:build_keycloak:26.6::el9
    Create a notification for this product.
    Red Hat Red Hat build of Keycloak 26.6.3     cpe:/a:redhat:build_keycloak:26.6::el9
    Create a notification for this product.
    Date Public
    2026-06-05 07:45
    Credits
    Red Hat would like to thank Hadley So for reporting this issue.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-9088",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-05T13:10:30.927804Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-05T13:10:40.187Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.4::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-operator-bundle",
              "product": "Red Hat build of Keycloak 26.4",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "26.4.13-1",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.4::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-rhel9",
              "product": "Red Hat build of Keycloak 26.4",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "26.4-19",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.4::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-rhel9-operator",
              "product": "Red Hat build of Keycloak 26.4",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "26.4-19",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.4::el9"
              ],
              "defaultStatus": "unaffected",
              "packageName": "rhbk/keycloak-rhel9",
              "product": "Red Hat build of Keycloak 26.4.13",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.6::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-operator-bundle",
              "product": "Red Hat build of Keycloak 26.6",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "26.6.3-3",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.6::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-rhel9",
              "product": "Red Hat build of Keycloak 26.6",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "26.6-6",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.6::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rhbk/keycloak-rhel9-operator",
              "product": "Red Hat build of Keycloak 26.6",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "26.6-6",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:26.6::el9"
              ],
              "defaultStatus": "unaffected",
              "packageName": "rhbk/keycloak-rhel9",
              "product": "Red Hat build of Keycloak 26.6.3",
              "vendor": "Red Hat"
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Red Hat would like to thank Hadley So for reporting this issue."
            }
          ],
          "datePublic": "2026-06-05T07:45:40.116Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A flaw was found in org.keycloak.services. An administrator with delegated access to read group memberships and users can bypass user profile permissions by accessing the group members endpoint. This allows the administrator to view user attributes that are explicitly configured to be denied, leading to information disclosure."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "namespace": "https://access.redhat.com/security/updates/classification/",
                  "value": "Low"
                },
                "type": "Red Hat severity rating"
              }
            },
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 2.7,
                "baseSeverity": "LOW",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-1220",
                  "description": "Insufficient Granularity of Access Control",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-26T07:01:31.888Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "name": "RHSA-2026:25097",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2026:25097"
            },
            {
              "name": "RHSA-2026:25098",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2026:25098"
            },
            {
              "name": "RHSA-2026:30049",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2026:30049"
            },
            {
              "name": "RHSA-2026:30050",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2026:30050"
            },
            {
              "tags": [
                "vdb-entry",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/security/cve/CVE-2026-9088"
            },
            {
              "name": "RHBZ#2480179",
              "tags": [
                "issue-tracking",
                "x_refsource_REDHAT"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2480179"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-05-20T15:01:25.568Z",
              "value": "Reported to Red Hat."
            },
            {
              "lang": "en",
              "time": "2026-06-05T07:45:40.116Z",
              "value": "Made public."
            }
          ],
          "title": "Keycloak: keycloak: information disclosure due to user profile permission bypass",
          "workarounds": [
            {
              "lang": "en",
              "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."
            }
          ],
          "x_generator": {
            "engine": "cvelib 1.8.0"
          },
          "x_redhatCweChain": "CWE-1220: Insufficient Granularity of Access Control"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2026-9088",
        "datePublished": "2026-06-05T07:52:52.858Z",
        "dateReserved": "2026-05-20T15:01:48.645Z",
        "dateUpdated": "2026-06-26T07:01:31.888Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }