CVE-2026-9083

Summary

A flaw was found in Keycloak. A realm administrator with the "manage-realm" role can exploit this vulnerability by submitting an arbitrary filesystem path as a keystore parameter when creating a key provider component. This allows the administrator to probe arbitrary filesystem paths, determining which files exist and are readable by the Keycloak process. This information disclosure could be used to identify high-value targets for follow-on attacks.

Affected Software

VendorProductVersion RangeStatus
Red HatRed Hat build of Keycloak 26.426.4.13-1 < *unaffected
Red HatRed Hat build of Keycloak 26.426.4-19 < *unaffected
Red HatRed Hat build of Keycloak 26.426.4-19 < *unaffected
Red HatRed Hat build of Keycloak 26.626.6.4-2 < *unaffected
Red HatRed Hat build of Keycloak 26.626.6-8 < *unaffected
Red HatRed Hat build of Keycloak 26.626.6-8 < *unaffected

Weaknesses

  • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Workarounds

Ensure that only highly trusted administrators are granted the "manage-realm" role within Keycloak. This role provides extensive administrative privileges, including the ability to exploit this vulnerability for filesystem probing. Regularly review and audit users assigned to this role to minimize the attack surface.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References