CVE Catalog

CVE-2026-9088

LowCVSS 2.7
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.35%

27th percentile — higher than 27% of all known CVEs

Summary

A flaw was found in Keycloak where an administrator with delegated access to read group memberships and users can bypass user profile permissions by accessing the group members endpoint, allowing viewing of user attributes explicitly configured as denied, leading to information disclosure.

Risk Assessment

The risk involves unauthorized disclosure of sensitive user attributes, potentially compromising data confidentiality and access control policies in the organization.

Recommendation

It is recommended to immediately update Keycloak to a version that fixes this vulnerability and review the configuration of delegated access permissions for administrators.

Original NVD description (English source)

A flaw was found in org.keycloak.services. An administrator with delegated access to read group memberships and users can bypass user profile permissions by accessing the group members endpoint. This allows the administrator to view user attributes that are explicitly configured to be denied, leading to information disclosure.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS