CVE-2026-16108
Received Received - Intake

Information Disclosure in Keycloak Default Groups

Vulnerability report for CVE-2026-16108, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-17

Last updated on: 2026-07-17

Assigner: Red Hat, Inc.

Description

A flaw was found in the default-groups REST endpoint and realm representation of Keycloak. This component is responsible for managing groups that are automatically assigned to new users within a realm. The issue allows a delegated administrator with realm-viewing permissions to see the names and identifiers of hidden default groups, even if they lack the specific permissions to view those groups. This can lead to the exposure of sensitive organizational structures or internal group names.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-17
Last Modified
2026-07-17
Generated
2026-07-17
AI Q&A
2026-07-17
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
keycloak keycloak *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability in Keycloak allows a delegated administrator with realm-viewing permissions to see hidden default groups they shouldn't access. The flaw exists in the default-groups REST endpoint and realm representation, which fails to enforce proper permission checks when Fine-Grained Admin Permissions v2 is enabled.

Detection Guidance

To detect this vulnerability, monitor access to the Keycloak Admin REST API endpoints /admin/realms/{realm}/default-groups and /admin/realms/{realm}. Check for unauthorized requests or unusual enumeration of group names, UUIDs, or paths by delegated administrators with realm-viewing permissions.

Impact Analysis

An attacker with limited permissions could enumerate sensitive group names, UUIDs, and paths. This exposes internal organizational structures, privilege levels, or tenant details that should remain hidden, potentially aiding further attacks or compliance violations.

Compliance Impact

This vulnerability may violate data protection requirements by exposing sensitive group structures that could reveal unauthorized access patterns or internal hierarchies, potentially leading to non-compliance with GDPR, HIPAA, or other privacy regulations.

Mitigation Strategies

Apply the latest Keycloak security patches. Review and restrict delegated administrator permissions to ensure they cannot access restricted group information. Audit logs for suspicious activity on the default-groups and realm endpoints.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-16108. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart