CVE-2026-9083
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Summary
A flaw was found in Keycloak. A realm administrator with the "manage-realm" role can exploit this vulnerability by submitting an arbitrary filesystem path as a keystore parameter when creating a key provider component. This allows the administrator to probe arbitrary filesystem paths, determining which files exist and are readable by the Keycloak process. This information disclosure could be used to identify high-value targets for follow-on attacks.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Red Hat | Red Hat build of Keycloak 26.4 | 26.4.13-1 < * | unaffected |
| Red Hat | Red Hat build of Keycloak 26.4 | 26.4-19 < * | unaffected |
| Red Hat | Red Hat build of Keycloak 26.4 | 26.4-19 < * | unaffected |
| Red Hat | Red Hat build of Keycloak 26.6 | 26.6.4-2 < * | unaffected |
| Red Hat | Red Hat build of Keycloak 26.6 | 26.6-8 < * | unaffected |
| Red Hat | Red Hat build of Keycloak 26.6 | 26.6-8 < * | unaffected |
Weaknesses
- CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Workarounds
Ensure that only highly trusted administrators are granted the "manage-realm" role within Keycloak. This role provides extensive administrative privileges, including the ability to exploit this vulnerability for filesystem probing. Regularly review and audit users assigned to this role to minimize the attack surface.
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://access.redhat.com/errata/RHSA-2026:30049
- https://access.redhat.com/errata/RHSA-2026:30050
- https://access.redhat.com/errata/RHSA-2026:30083
- https://access.redhat.com/errata/RHSA-2026:30084
- https://access.redhat.com/security/cve/CVE-2026-9083
- https://bugzilla.redhat.com/show_bug.cgi?id=2480168
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.