CVE-2026-9796
Privilege Escalation via TOCTOU in Keycloak
Publication date: 2026-05-28
Last updated on: 2026-05-28
Assigner: Red Hat, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| redhat | keycloak | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-367 | The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-9796 is a vulnerability in Keycloak involving a Time-of-Check to Time-of-Use (TOCTOU) flaw.
An authenticated administrator who has the `manage-clients` role can exploit this flaw to escalate their privileges to `realm-admin` for all users within the realm.
This escalation grants the attacker extensive control over the system.
The vulnerability arises from name-based admin role checks and the elevated privileges persist even after the attacker's own permissions are revoked and across system reboots.
How can this vulnerability impact me? :
This vulnerability allows an attacker with limited administrative rights to gain full administrative control over the Keycloak realm.
With `realm-admin` privileges, the attacker can manage all users and configurations within the realm, potentially compromising the entire authentication and authorization system.
Since the elevated privileges persist even after revocation and system reboots, the attacker can maintain long-term unauthorized access and control.