CVE-2026-2366

LOW

Keycloak - Auth Bypass

Title source: llm

Description

A flaw was found in Keycloak. An authorization bypass vulnerability in the Keycloak Admin API allows any authenticated user, even those without administrative privileges, to enumerate the organization memberships of other users. This information disclosure occurs if the attacker knows the victim's unique identifier (UUID) and the Organizations feature is enabled.

References (4)

[Vendor Advisory] https://access.redhat.com/security/cve/CVE-2026-2366

[Vendor Advisory] https://bugzilla.redhat.com/show_bug.cgi?id=2439081

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2026:6477

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2026:6478

Scores

CVSS v3 3.1

EPSS 0.0003

EPSS Percentile 9.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-639

Status published

Products (5)

keycloak/keycloak-admin-client 0npm

org.keycloak/keycloak-js-admin-client 0Maven

Red Hat/Red Hat build of Keycloak 26.4 26.4-14

Red Hat/Red Hat build of Keycloak 26.4 26.4.11-1

Red Hat/Red Hat build of Keycloak 26.4.11

Published Mar 12, 2026

Tracked Since Mar 12, 2026