Description
A flaw was found in org.keycloak.services. An administrator with delegated access to read group memberships and users can bypass user profile permissions by accessing the group members endpoint. This allows the administrator to view user attributes that are explicitly configured to be denied, leading to information disclosure.
Published: 2026-06-05
Score: 2.7 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw exists in org.keycloak.services. An administrator that has been granted delegated access to read group memberships and users can override the user profile permissions by invoking the group members endpoint. This bypass allows the administrator to see user attributes that are explicitly configured to be denied, revealing confidential information. The weakness is classified as CWE-1220 and carries a modest CVSS score of 2.7.

Affected Systems

The vulnerability applies to Red Hat Build of Keycloak. No specific version details are supplied, so any instance of this distribution may be affected, as indicated by the CPE string presented by the CNA.

Risk and Exploitability

The overall severity is low, reflected by the CVSS rating of 2.7 and the absence of an EPSS score or KEV listing. The attack requires an attacker to possess administrator credentials with delegated read group membership privileges; the likely attack vector is therefore an internal compromise or credential theft. Because no official patch or workaround is available at this time, the risk can be mitigated by restricting such delegated permissions and monitoring for anomalous access to the group members endpoint.

Generated by OpenCVE AI on June 5, 2026 at 09:50 UTC.

Remediation

Vendor Workaround

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.

OpenCVE Recommended Actions

  • Limit delegated permissions that allow reading group memberships to only users who truly require it and remove those privileges from all other accounts.
  • Audit existing administrative users to confirm that they do not have unnecessary rights that enable calls to the group members endpoint.
  • Continuously monitor Keycloak logs for activity involving the group members endpoint and attempts to access denied user attributes, and investigate any suspicious events promptly.
  • No official workaround is available per Red Hat’s advisory, as the mitigation does not meet product security criteria.

Generated by OpenCVE AI on June 5, 2026 at 09:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
References

Wed, 10 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:build_keycloak: cpe:/a:redhat:build_keycloak:26.6::el9
References

Fri, 05 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 05 Jun 2026 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Redhat build Of Keycloak
Vendors & Products Redhat build Of Keycloak

Fri, 05 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Low

Fri, 05 Jun 2026 08:00:00 +0000

Type Values Removed Values Added
Description A flaw was found in org.keycloak.services. An administrator with delegated access to read group memberships and users can bypass user profile permissions by accessing the group members endpoint. This allows the administrator to view user attributes that are explicitly configured to be denied, leading to information disclosure.
Title Keycloak: keycloak: information disclosure due to user profile permission bypass
First Time appeared Redhat
Redhat build Keycloak
Weaknesses CWE-1220
CPEs cpe:/a:redhat:build_keycloak:
Vendors & Products Redhat
Redhat build Keycloak
References
Metrics cvssV3_1

{'score': 2.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Redhat Build Keycloak Build Of Keycloak
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-06-10T21:29:23.204Z

Reserved: 2026-05-20T15:01:48.645Z

Link: CVE-2026-9088

cve-icon Vulnrichment

Updated: 2026-06-05T13:10:35.440Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-05T08:16:30.990

Modified: 2026-06-10T22:17:03.250

Link: CVE-2026-9088

cve-icon Redhat

Severity : Low

Publid Date: 2026-06-05T07:45:40Z

Links: CVE-2026-9088 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T12:30:40Z

Weaknesses
  • CWE-1220

    Insufficient Granularity of Access Control