CVE-2026-9796
Analyzed Analyzed - Analysis Complete
Privilege Escalation via TOCTOU in Keycloak

Publication date: 2026-05-28

Last updated on: 2026-06-03

Assigner: Red Hat, Inc.

Description
A flaw was found in Keycloak. An authenticated administrator with the `manage-clients` role can exploit a Time-of-check to time-of-use (TOCTOU) vulnerability in the name-based admin role checks. This allows the attacker to escalate their privileges to `realm-admin` for all users within the realm, granting them extensive control over the system. The composite role relationship persists even after the attacker's own permissions are revoked and across system reboots.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-28
Last Modified
2026-06-03
Generated
2026-06-17
AI Q&A
2026-05-28
EPSS Evaluated
2026-06-16
NVD
CVE-2026-9796
EUVD
EUVD-2026-32716
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
redhat build_of_keycloak *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-367 The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-9796 is a vulnerability in Keycloak involving a Time-of-Check to Time-of-Use (TOCTOU) flaw.

An authenticated administrator who has the `manage-clients` role can exploit this flaw to escalate their privileges to `realm-admin` for all users within the realm.

This escalation grants the attacker extensive control over the system.

The vulnerability arises from name-based admin role checks and the elevated privileges persist even after the attacker's own permissions are revoked and across system reboots.

Impact Analysis

This vulnerability allows an attacker with limited administrative rights to gain full administrative control over the Keycloak realm.

With `realm-admin` privileges, the attacker can manage all users and configurations within the realm, potentially compromising the entire authentication and authorization system.

Since the elevated privileges persist even after revocation and system reboots, the attacker can maintain long-term unauthorized access and control.

Compliance Impact

The vulnerability allows an authenticated administrator with limited privileges to escalate to full realm-admin privileges, gaining extensive control over the system. This unauthorized privilege escalation can lead to unauthorized access and potential misuse of sensitive data.

Such unauthorized access and control could impact compliance with common standards and regulations like GDPR and HIPAA, which require strict access controls and protection of personal and sensitive data.

Because the attacker retains elevated privileges even after their original permissions are revoked and across system reboots, this persistent unauthorized access increases the risk of data breaches and non-compliance with regulatory requirements.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-9796. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart