Description
A flaw was found in Keycloak. A missing authorization check in the GroupResource.addChild() endpoint within the Admin REST API allows an authenticated user with limited administrative privileges to reparent any existing group. When Fine-Grained Admin Permissions v2 (FGAPv2) is enabled, an attacker with management rights over a single low-privilege group can reparent a highly privileged group (such as one possessing the realm-admin role) under their managed group.

Because group permissions follow a hierarchical structure, this action unauthorizedly grants the attacker management and password-reset capabilities over the members of the targeted privileged group. An attacker can exploit this to reset an administrator's password, compromise the account, and achieve a full realm takeover, leading to a complete compromise of confidentiality, integrity, and availability.
Published: 2026-06-25
Score: 7.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A missing authorization check in the GroupResource.addChild() endpoint of Keycloak’s Admin REST API allows an authenticated user with limited administrative rights to reparent any existing group. When Fine‑Grained Admin Permissions v2 is enabled, an attacker with control over a low‑privilege group can move a highly privileged group that carries the realm‑admin role into their own hierarchy. This unauthorized reparenting grants the attacker full management privileges, including the ability to reset passwords of privileged members, effectively enabling a complete realm takeover and compromising confidentiality, integrity and availability.

Affected Systems

The vulnerability exists in the Red Hat Build of Keycloak. No specific version range is listed; organizations should verify whether their deployment implements the GroupResource.addChild() operation and FGAPv2.

Risk and Exploitability

The CVSS score of 7.7 indicates a high impact when combined with the fact that the attacker only needs authenticated access to the REST API. EPSS is not available, but the lack of an exploit in the KEV catalog suggests no widely known public exploitation yet. However, the exploit can be carried out remotely by anyone who can reach the Admin REST API, making network exposure a key factor. The recommended mitigation is to implement the official patch and, where premature, to restrict the REST API to trusted networks or localhost, as outlined in the vendor workaround. Disabling FGAPv2 can also reduce the risk if it is not required.

Generated by OpenCVE AI on June 25, 2026 at 18:09 UTC.

Remediation

Vendor Workaround

To mitigate this issue, restrict network access to the Keycloak Admin REST API to only trusted networks or localhost. This limits the attack surface by preventing unauthorized access to the API endpoints required for exploitation. Consult your network security documentation for specific firewall or network access control configurations. This may impact remote administration capabilities.


OpenCVE Recommended Actions

  • Apply the vendor patch for CVE-2026-9099 as soon as it is released.
  • Restrict network access to Keycloak’s Admin REST API to trusted networks or localhost to limit exposure.
  • If FGAPv2 is not essential, disable it to prevent the privilege escalation path.
  • Monitor administrative group changes for unauthorized reparenting activities.

Generated by OpenCVE AI on June 25, 2026 at 18:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 07:45:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:build_keycloak:26.4::el9
References

Fri, 26 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

threat_severity

Important


Thu, 25 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Thu, 25 Jun 2026 20:00:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:build_keycloak: cpe:/a:redhat:build_keycloak:26.6::el9
References

Thu, 25 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description A flaw was found in Keycloak. A missing authorization check in the GroupResource.addChild() endpoint within the Admin REST API allows an authenticated user with limited administrative privileges to reparent any existing group. When Fine-Grained Admin Permissions v2 (FGAPv2) is enabled, an attacker with management rights over a single low-privilege group can reparent a highly privileged group (such as one possessing the realm-admin role) under their managed group. Because group permissions follow a hierarchical structure, this action unauthorizedly grants the attacker management and password-reset capabilities over the members of the targeted privileged group. An attacker can exploit this to reset an administrator's password, compromise the account, and achieve a full realm takeover, leading to a complete compromise of confidentiality, integrity, and availability.
Title Keycloak: group-admin escalation to realm-admin
First Time appeared Redhat
Redhat build Keycloak
Weaknesses CWE-639
CPEs cpe:/a:redhat:build_keycloak:
Vendors & Products Redhat
Redhat build Keycloak
References
Metrics cvssV3_1

{'score': 7.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:N'}


Subscriptions

Redhat Build Keycloak
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-07-15T00:38:43.248Z

Reserved: 2026-05-20T15:12:25.740Z

Link: CVE-2026-9099

cve-icon Vulnrichment

Updated: 2026-07-15T00:38:43.248Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-25T15:58:51Z

Links: CVE-2026-9099 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T07:30:05Z

Weaknesses
  • CWE-639

    Authorization Bypass Through User-Controlled Key