Authorization Bypass Vulnerability in Keycloak Admin API
CVE-2026-2366

3.1LOW

Key Information:

Vendor

Red Hat
Status
Red Hat Build Of Keycloak 26.4
Red Hat Build Of Keycloak 26.4.11
Vendor
CVE Published:
12 March 2026

What is CVE-2026-2366?

The Keycloak Admin API has a significant authorization bypass vulnerability that enables an authenticated user to access the organization memberships of other users without requiring administrative privileges. This security flaw can be exploited if the attacker possesses the target user's unique identifier (UUID) and has the Organizations feature activated. As a result, sensitive membership information may be exposed, posing a risk to organizational privacy and integrity.

Affected Version(s)

Red Hat build of Keycloak 26.4 26.4.11-1

Red Hat build of Keycloak 26.4 26.4-14

Red Hat build of Keycloak 26.4 26.4-14

References

https://access.redhat.com/errata/RHSA-2026:6477
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:6478
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/security/cve/CVE-2026-2366
vdb-entryx_refsource_REDHAT

CVSS V3.1

Score:
3.1
Severity:
LOW
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Red Hat would like to thank Joy Gilbert and Reynaldo Immanuel for reporting this issue.
.