CVE-2026-16072
Received Received - Intake

Keycloak Organization Management Privilege Escalation

Vulnerability report for CVE-2026-16072, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-17

Last updated on: 2026-07-17

Assigner: Red Hat, Inc.

Description

A flaw was found in the organization management component of Keycloak. A delegated administrator with permission to manage organizations can create an invitation for a non-existent email address and then retrieve the secret registration link directly through the application programming interface. By using this link, the administrator can create new user accounts and add them to the organization without having the required user management permissions or access to the invited email account. This allows an administrator to bypass security boundaries and add unauthorized members to an organization.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-17
Last Modified
2026-07-17
Generated
2026-07-17
AI Q&A
2026-07-17
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
redhat keycloak *
keycloak keycloak *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability in Keycloak allows a delegated administrator with manage-organizations permission but without manage-users permission to create an invitation for a non-existent email address. The API response includes a secret registration link that can be used to bypass email verification and create unauthorized user accounts directly in the organization.

Detection Guidance

Check Keycloak server logs for unusual API calls to the organization management endpoints, particularly requests fetching pending invitations or registration links. Look for repeated attempts to access the inviteLink field in API responses.

Impact Analysis

An attacker with delegated admin privileges could exploit this to add unauthorized users to an organization, bypassing security controls. This could lead to unauthorized access, privilege escalation, or unauthorized actions within the organization's Keycloak instance.

Compliance Impact

This vulnerability could violate compliance requirements by allowing unauthorized user access, potentially leading to data breaches or unauthorized data exposure. Organizations using Keycloak may fail to meet access control and audit requirements under GDPR, HIPAA, or other regulations.

Mitigation Strategies

Apply the latest Keycloak security patches immediately. Review all delegated administrators' permissions to ensure they do not have both manage-organizations and manage-users permissions. Monitor organization membership changes for unauthorized additions.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-16072. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart