CVE-2026-9088

Published: Jun 5, 2026Modified: Jun 10, 2026

2.7

Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N

Exploitability: 1.2 / Impact: 1.4

Source: secalert@redhat.com (Secondary)

Description

A flaw was found in org.keycloak.services. An administrator with delegated access to read group memberships and users can bypass user profile permissions by accessing the group members endpoint. This allows the administrator to view user attributes that are explicitly configured to be denied, leading to information disclosure.

Related CWEs

CWE-1220

Insufficient Granularity of Access Control

The product implements access controls via a policy or other feature with the intention to disable or restrict accesses (reads and/or writes) to assets in a system from untrusted agents. However, implemented access controls lack required granularity, which renders the control policy too broad because it allows accesses from unauthorized agents to the security-sensitive assets.

References (4)

https://access.redhat.com/errata/RHSA-2026:25097

Source: secalert@redhat.com

https://access.redhat.com/errata/RHSA-2026:25098

Source: secalert@redhat.com

https://access.redhat.com/security/cve/CVE-2026-9088

Source: secalert@redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=2480179

Source: secalert@redhat.com

Timeline

No history available yet.