CVE-2026-9791

Published: May 28, 2026Modified: Jun 10, 2026

4.3

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Exploitability: 2.8 / Impact: 1.4

Source: secalert@redhat.com (Secondary)

Description

A flaw was found in Keycloak. An authenticated user with existing organization membership can exploit this flaw by accessing user-facing APIs, such as the account API or by requesting an OpenID Connect (OIDC) token with the 'organization' scope. This allows organization metadata to be disclosed in tokens, even after an administrator has explicitly disabled the Organizations feature, potentially leading to incorrect authorization decisions by resource servers.

Affected (1)

Products: Redhat: Build Of Keycloak

1 product

Build Of Keycloak

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Redhat Build Of Keycloak	All versions

Related CWEs

Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

References (4)

https://access.redhat.com/errata/RHSA-2026:25097

Source: secalert@redhat.com

https://access.redhat.com/errata/RHSA-2026:25098

Source: secalert@redhat.com

https://access.redhat.com/security/cve/CVE-2026-9791

Source: secalert@redhat.com

MitigationVendor Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=2482458

Source: secalert@redhat.com

Issue TrackingVendor Advisory

Timeline

No history available yet.