CVE-2026-9791

MEDIUM

Keycloak-rhel9: organization data leak after feature disabled in keycloak

Title source: cna
STIX 2.1

Description

A flaw was found in Keycloak. An authenticated user with existing organization membership can exploit this flaw by accessing user-facing APIs, such as the account API or by requesting an OpenID Connect (OIDC) token with the 'organization' scope. This allows organization metadata to be disclosed in tokens, even after an administrator has explicitly disabled the Organizations feature, potentially leading to incorrect authorization decisions by resource servers.

References (4)

Core 4
Core References
Vendor Advisory vendor-advisory x_refsource_redhat
RHSA-2026:25097
https://access.redhat.com/errata/RHSA-2026:25097
Vendor Advisory vendor-advisory x_refsource_redhat
RHSA-2026:25098
https://access.redhat.com/errata/RHSA-2026:25098
Vdb Entry, X_Refsource_Redhat vdb-entry x_refsource_redhat
https://access.redhat.com/security/cve/CVE-2026-9791
Issue Tracking, X_Refsource_Redhat issue-tracking x_refsource_redhat
RHBZ#2482458
https://bugzilla.redhat.com/show_bug.cgi?id=2482458

Scores

CVSS v3 4.3
EPSS 0.0020
EPSS Percentile 9.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-863
Status published
Products (5)
Red Hat/Red Hat Build of Keycloak
Red Hat/Red Hat build of Keycloak 26.6 26.6-6
Red Hat/Red Hat build of Keycloak 26.6 26.6.3-3
Red Hat/Red Hat build of Keycloak 26.6.3
redhat/build_of_keycloak
Published May 28, 2026
Tracked Since May 28, 2026