CVE-2026-9099

Summary

A flaw was found in Keycloak. A missing authorization check in the GroupResource.addChild() endpoint within the Admin REST API allows an authenticated user with limited administrative privileges to reparent any existing group. When Fine-Grained Admin Permissions v2 (FGAPv2) is enabled, an attacker with management rights over a single low-privilege group can reparent a highly privileged group (such as one possessing the realm-admin role) under their managed group.

Because group permissions follow a hierarchical structure, this action unauthorizedly grants the attacker management and password-reset capabilities over the members of the targeted privileged group. An attacker can exploit this to reset an administrator's password, compromise the account, and achieve a full realm takeover, leading to a complete compromise of confidentiality, integrity, and availability.

Affected Software

VendorProductVersion RangeStatus
Red HatRed Hat build of Keycloak 26.426.4.13-1 < *unaffected
Red HatRed Hat build of Keycloak 26.426.4-19 < *unaffected
Red HatRed Hat build of Keycloak 26.426.4-19 < *unaffected
Red HatRed Hat build of Keycloak 26.626.6.4-2 < *unaffected
Red HatRed Hat build of Keycloak 26.626.6-8 < *unaffected
Red HatRed Hat build of Keycloak 26.626.6-8 < *unaffected

Weaknesses

  • CWE-639: Authorization Bypass Through User-Controlled Key

Workarounds

To mitigate this issue, restrict network access to the Keycloak Admin REST API to only trusted networks or localhost. This limits the attack surface by preventing unauthorized access to the API endpoints required for exploitation. Consult your network security documentation for specific firewall or network access control configurations. This may impact remote administration capabilities.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

keycloak: Group-Admin Escalation to Realm-Admin

Additional References

References