CVE-2026-2366
Received Received - Intake
Authorization Bypass in Keycloak Admin API Enables Data Disclosure

Publication date: 2026-03-12

Last updated on: 2026-04-02

Assigner: Red Hat, Inc.

Description
A flaw was found in Keycloak. An authorization bypass vulnerability in the Keycloak Admin API allows any authenticated user, even those without administrative privileges, to enumerate the organization memberships of other users. This information disclosure occurs if the attacker knows the victim's unique identifier (UUID) and the Organizations feature is enabled.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-12
Last Modified
2026-04-02
Generated
2026-06-16
AI Q&A
2026-03-12
EPSS Evaluated
2026-06-15
NVD
CVE-2026-2366
EUVD
EUVD-2026-11553
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
keycloak keycloak 26.5.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-2366 is an information disclosure vulnerability in Keycloak's Admin API caused by an authorization bypass."}, {'type': 'paragraph', 'content': "Specifically, the API endpoint that lists the organizations a user belongs to does not properly check permissions, allowing any authenticated userβ€”even those without administrative privilegesβ€”to see the organization memberships of other users if they know the victim's unique identifier (UUID)."}, {'type': 'paragraph', 'content': 'This occurs when the Organizations feature is enabled in Keycloak, and the attacker has a valid access token but lacks the necessary admin roles.'}] [1]

Impact Analysis

This vulnerability allows unauthorized users to obtain information about which organizations other users belong to within Keycloak.

While it does not allow modification or deletion of data, it results in a confidentiality breach by exposing potentially sensitive organizational membership information.

Such information disclosure could be leveraged for further targeted attacks or social engineering.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by attempting to access the vulnerable Admin API endpoint with a low-privileged authenticated user token and checking if organization membership information of other users is disclosed.'}, {'type': 'list_item', 'content': 'Ensure the Organizations feature is enabled in Keycloak.'}, {'type': 'list_item', 'content': 'Obtain a valid OIDC access token for a low-privileged user.'}, {'type': 'list_item', 'content': 'Perform a GET request to the endpoint `/admin/realms/{realm}/organizations/members/{victim-uuid}/organizations` replacing `{realm}` and `{victim-uuid}` with appropriate values.'}, {'type': 'list_item', 'content': 'If the response is HTTP 200 OK and returns the victim’s organization memberships, the vulnerability is present.'}, {'type': 'paragraph', 'content': 'Example curl command to test the vulnerability:'}, {'type': 'list_item', 'content': 'curl -H "Authorization: Bearer <low-privileged-user-token>" https://<keycloak-server>/admin/realms/<realm>/organizations/members/<victim-uuid>/organizations'}] [1]

Mitigation Strategies

Currently, no patch is available for this vulnerability.

Immediate mitigation steps include:

  • Restrict access to the Keycloak Admin API to only trusted and necessary users.
  • Limit or disable the Organizations feature if it is not required.
  • Monitor and audit API access logs for suspicious requests to the vulnerable endpoint.
  • Ensure that UUIDs of users are not easily guessable or exposed to unauthorized users.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2366. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart