CVE-2026-9099
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:N
Summary
A flaw was found in Keycloak. A missing authorization check in the GroupResource.addChild() endpoint within the Admin REST API allows an authenticated user with limited administrative privileges to reparent any existing group. When Fine-Grained Admin Permissions v2 (FGAPv2) is enabled, an attacker with management rights over a single low-privilege group can reparent a highly privileged group (such as one possessing the realm-admin role) under their managed group.
Because group permissions follow a hierarchical structure, this action unauthorizedly grants the attacker management and password-reset capabilities over the members of the targeted privileged group. An attacker can exploit this to reset an administrator's password, compromise the account, and achieve a full realm takeover, leading to a complete compromise of confidentiality, integrity, and availability.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Red Hat | Red Hat build of Keycloak 26.4 | 26.4.13-1 < * | unaffected |
| Red Hat | Red Hat build of Keycloak 26.4 | 26.4-19 < * | unaffected |
| Red Hat | Red Hat build of Keycloak 26.4 | 26.4-19 < * | unaffected |
| Red Hat | Red Hat build of Keycloak 26.6 | 26.6.4-2 < * | unaffected |
| Red Hat | Red Hat build of Keycloak 26.6 | 26.6-8 < * | unaffected |
| Red Hat | Red Hat build of Keycloak 26.6 | 26.6-8 < * | unaffected |
Weaknesses
- CWE-639: Authorization Bypass Through User-Controlled Key
Workarounds
To mitigate this issue, restrict network access to the Keycloak Admin REST API to only trusted networks or localhost. This limits the attack surface by preventing unauthorized access to the API endpoints required for exploitation. Consult your network security documentation for specific firewall or network access control configurations. This may impact remote administration capabilities.
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
keycloak: Group-Admin Escalation to Realm-Admin
Additional References
- https://access.redhat.com/security/cve/CVE-2026-9099
- https://bugzilla.redhat.com/show_bug.cgi?id=2480182
- https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-9099.json
- https://access.redhat.com/errata/RHSA-2026:30050
- https://access.redhat.com/errata/RHSA-2026:30084
- https://access.redhat.com/errata/RHSA-2026:30049
- https://access.redhat.com/errata/RHSA-2026:30083
References
- https://access.redhat.com/errata/RHSA-2026:30049
- https://access.redhat.com/errata/RHSA-2026:30050
- https://access.redhat.com/errata/RHSA-2026:30083
- https://access.redhat.com/errata/RHSA-2026:30084
- https://access.redhat.com/security/cve/CVE-2026-9099
- https://bugzilla.redhat.com/show_bug.cgi?id=2480182
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.