CVE Catalog

CVE-2026-9791

MediumCVSS 4.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.21%

12th percentile - higher than 12% of all known CVEs

Summary

A flaw was found in Keycloak where an authenticated user with existing organization membership can disclose organization metadata in OIDC tokens or via the account API, even after the administrator has disabled the Organizations feature, potentially leading to incorrect authorization decisions by resource servers.

Risk Assessment

The risk is that administrators may incorrectly assume that disabling the Organizations feature completely removes organization information from tokens, which could result in improper access grants to resources.

Recommendation

It is recommended to immediately update Keycloak to a version that fixes this vulnerability and to review OIDC scope and account API configurations for unintended disclosure of organization data.

Original NVD description (English source)

A flaw was found in Keycloak. An authenticated user with existing organization membership can exploit this flaw by accessing user-facing APIs, such as the account API or by requesting an OpenID Connect (OIDC) token with the 'organization' scope. This allows organization metadata to be disclosed in tokens, even after an administrator has explicitly disabled the Organizations feature, potentially leading to incorrect authorization decisions by resource servers.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS