CVE-2026-9099
Undergoing Analysis Undergoing Analysis - In Progress
Privilege Escalation in Keycloak via Group Reparenting

Publication date: 2026-06-25

Last updated on: 2026-06-25

Assigner: Red Hat, Inc.

Description
A flaw was found in Keycloak. A missing authorization check in the GroupResource.addChild() endpoint within the Admin REST API allows an authenticated user with limited administrative privileges to reparent any existing group. When Fine-Grained Admin Permissions v2 (FGAPv2) is enabled, an attacker with management rights over a single low-privilege group can reparent a highly privileged group (such as one possessing the realm-admin role) under their managed group. Because group permissions follow a hierarchical structure, this action unauthorizedly grants the attacker management and password-reset capabilities over the members of the targeted privileged group. An attacker can exploit this to reset an administrator's password, compromise the account, and achieve a full realm takeover, leading to a complete compromise of confidentiality, integrity, and availability.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-25
Last Modified
2026-06-25
Generated
2026-06-26
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-9099
EUVD
EUVD-2026-39472
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
keycloak keycloak *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

This vulnerability allows an attacker to achieve full realm takeover by compromising administrator accounts, leading to a complete compromise of confidentiality, integrity, and availability of the system.

Such a compromise can result in unauthorized access to sensitive personal data or protected health information, which may violate compliance requirements under standards like GDPR and HIPAA that mandate strict controls over data confidentiality and integrity.

Therefore, exploitation of this vulnerability could lead to non-compliance with these regulations due to potential data breaches and failure to maintain adequate access controls.

Executive Summary

This vulnerability exists in Keycloak's Admin REST API, specifically in the GroupResource.addChild() endpoint. It is caused by a missing authorization check that allows an authenticated user with limited administrative privileges to reparent any existing group.

When Fine-Grained Admin Permissions v2 (FGAPv2) is enabled, an attacker who manages a low-privilege group can reparent a highly privileged group, such as one with the realm-admin role, under their control.

Because group permissions are hierarchical, this unauthorized reparenting grants the attacker management and password-reset capabilities over members of the privileged group, enabling them to reset an administrator's password and potentially take over the entire realm.

Impact Analysis

This vulnerability can lead to a full realm takeover in Keycloak, compromising the confidentiality, integrity, and availability of the system.

An attacker exploiting this flaw can reset administrator passwords, gain unauthorized management access, and control privileged accounts.

Such a compromise can result in unauthorized access to sensitive data, disruption of services, and loss of trust in the security of the system.

Mitigation Strategies

To mitigate this vulnerability, ensure that Fine-Grained Admin Permissions v2 (FGAPv2) is carefully configured and monitored to prevent unauthorized reparenting of groups.

Limit management rights over groups to trusted administrators only, especially for groups with high privileges such as those possessing the realm-admin role.

Apply any available patches or updates from Keycloak or your vendor that address this authorization flaw in the GroupResource.addChild() endpoint.

Review and audit group hierarchy changes regularly to detect any unauthorized reparenting activities.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-9099. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart