Information Exposure in Keycloak Default-Groups Management
CVE-2026-16108
4.3MEDIUM
What is CVE-2026-16108?
A security issue exists in Keycloak's default-groups REST endpoint that enables a delegated administrator with realm-viewing permissions to access and view names and identifiers of hidden default groups. This behavior occurs despite the administrator lacking the necessary permissions to access these groups, potentially revealing sensitive organizational structures or internal group names to unauthorized users.
References
CVSS V3.1
Score:
4.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged
Timeline
Vulnerability published
Vulnerability Reserved
Credit
Red Hat would like to thank Paul Bottinelli (Trail of Bits) for reporting this issue.