Authorization Flaw in Group Management for Keycloak by Red Hat
CVE-2026-9099

7.7HIGH

Key Information:

Vendor: Red Hat
Status: Red Hat Build Of Keycloak
Vendor: CVE Published:; 25 June 2026

What is CVE-2026-9099?

A significant flaw in the Keycloak platform allows an authenticated user with limited admin rights to bypass authorization checks within the Admin REST API, specifically at the GroupResource.addChild() endpoint. This vulnerability enables a low-privileged user to reparent a high-privilege group, potentially including groups with realm-admin roles. If exploited, an attacker can gain unauthorized management rights, leading to the ability to reset passwords and fully control the targeted privileged group's members. This poses severe risks to confidentiality, integrity, and availability of the affected systems.

References

https://access.redhat.com/security/cve/CVE-2026-9099

vdb-entryx_refsource_REDHAT

https://bugzilla.redhat.com/show_bug.cgi?id=2480182

issue-trackingx_refsource_REDHAT

CVSS V3.1

Score:

7.7

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 25, 2026
Vulnerability Reserved
May 20, 2026

CVE-2026-9099 Data

JSON