CVE-2026-9791
Keycloak Organization Metadata Disclosure via OIDC Token
Publication date: 2026-05-28
Last updated on: 2026-05-28
Assigner: Red Hat, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| redhat | keycloak | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Keycloak and involves a flaw where organization metadata can still be accessed by authenticated users even after the Organizations feature has been disabled by an administrator.
Specifically, an authenticated user who is a member of an organization can exploit this flaw by using user-facing APIs like the account API or by requesting an OpenID Connect (OIDC) token with the 'organization' scope. Despite the Organizations feature being disabled, these APIs and tokens continue to expose organization membership data.
This happens because while Keycloak blocks access to the admin Organizations API when the feature is disabled, it fails to enforce this restriction on user-facing endpoints, allowing organization data to leak.
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized disclosure of organization metadata to authenticated users who should no longer have access to this information after the Organizations feature is disabled.
This leakage can cause resource servers to make incorrect authorization decisions based on outdated or unintended organization data included in tokens or returned by APIs.
An attacker must be an authenticated user with existing organization membership, and the client must allow the organization scope for this to be exploited.
The impact is considered medium severity with a CVSS score of 4.3, and currently, no patch is available.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by verifying if organization metadata is still accessible through user-facing APIs or tokens after the Organizations feature has been disabled in Keycloak.
- Check the account API endpoint for organization data using a command like: curl -H "Authorization: Bearer <token>" https://<keycloak-server>/realms/<realm>/account/organizations
- Request an OpenID Connect token with the 'organization' scope and inspect the token claims to see if organization metadata is included. For example, use an OAuth client to request a token with scope=openid organization and decode the token to check for organization claims.
What immediate steps should I take to mitigate this vulnerability?
Currently, no patch is available for this vulnerability. Immediate mitigation steps include:
- Ensure that clients are not configured to allow the 'organization' scope in token requests.
- Review and restrict access to user-facing APIs such as the account API endpoint to prevent unauthorized disclosure of organization metadata.
- Consider re-enabling the Organizations feature if feasible, or avoid disabling it until a fix is available.
- Monitor authenticated users with organization membership and audit token contents for unintended organization claims.