Information Exposure in Keycloak Default-Groups Management
CVE-2026-16108

4.3MEDIUM

What is CVE-2026-16108?

A security issue exists in Keycloak's default-groups REST endpoint that enables a delegated administrator with realm-viewing permissions to access and view names and identifiers of hidden default groups. This behavior occurs despite the administrator lacking the necessary permissions to access these groups, potentially revealing sensitive organizational structures or internal group names to unauthorized users.

References

CVSS V3.1

Score:
4.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Red Hat would like to thank Paul Bottinelli (Trail of Bits) for reporting this issue.
.