CVE-2026-2366

LOW

Red Hat build of Keycloak 26.4 - Authenticated Authorization Bypass in Admin API

Title source: llm
STIX 2.1

Description

A flaw was found in Keycloak. An authorization bypass vulnerability in the Keycloak Admin API allows any authenticated user, even those without administrative privileges, to enumerate the organization memberships of other users. This information disclosure occurs if the attacker knows the victim's unique identifier (UUID) and the Organizations feature is enabled.

References (4)

Core 4
Core References
Vendor Advisory vdb-entry x_refsource_redhat
https://access.redhat.com/security/cve/CVE-2026-2366
Vendor Advisory issue-tracking x_refsource_redhat
https://bugzilla.redhat.com/show_bug.cgi?id=2439081
Vendor Advisory vendor-advisory x_refsource_redhat
RHSA-2026:6477
https://access.redhat.com/errata/RHSA-2026:6477
Vendor Advisory vendor-advisory x_refsource_redhat
RHSA-2026:6478
https://access.redhat.com/errata/RHSA-2026:6478

Scores

CVSS v3 3.1
EPSS 0.0027
EPSS Percentile 19.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-639
Status published
Products (5)
keycloak/keycloak-admin-client 0npm
org.keycloak/keycloak-js-admin-client 0Maven
Red Hat/Red Hat build of Keycloak 26.4 26.4-14
Red Hat/Red Hat build of Keycloak 26.4 26.4.11-1
Red Hat/Red Hat build of Keycloak 26.4.11
Published Mar 12, 2026
Tracked Since Mar 12, 2026