CVE-2026-9791

Summary

A flaw was found in Keycloak. An authenticated user with existing organization membership can exploit this flaw by accessing user-facing APIs, such as the account API or by requesting an OpenID Connect (OIDC) token with the 'organization' scope. This allows organization metadata to be disclosed in tokens, even after an administrator has explicitly disabled the Organizations feature, potentially leading to incorrect authorization decisions by resource servers.

Affected Software

VendorProductVersion RangeStatus
Red HatRed Hat build of Keycloak 26.426.4.13-1 < *unaffected
Red HatRed Hat build of Keycloak 26.426.4-19 < *unaffected
Red HatRed Hat build of Keycloak 26.426.4-19 < *unaffected
Red HatRed Hat build of Keycloak 26.626.6.3-3 < *unaffected
Red HatRed Hat build of Keycloak 26.626.6-6 < *unaffected
Red HatRed Hat build of Keycloak 26.626.6-6 < *unaffected

Weaknesses

  • CWE-863: Incorrect Authorization

Workarounds

Administrators should verify that disabling the Organizations feature properly blocks all organization-related functionality. Consider implementing additional access controls or removing organization memberships before disabling the feature.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References