CVE-2026-9791 - Vulnerability Details

Description

A flaw was found in Keycloak. An authenticated user with existing organization membership can exploit this flaw by accessing user-facing APIs, such as the account API or by requesting an OpenID Connect (OIDC) token with the 'organization' scope. This allows organization metadata to be disclosed in tokens, even after an administrator has explicitly disabled the Organizations feature, potentially leading to incorrect authorization decisions by resource servers.

Published: 2026-05-28

Score: 4.3 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

A flaw in Keycloak allows an authenticated user who is a member of an organization to retrieve organization metadata through user-facing APIs such as the account API or by requesting an OIDC token with the 'organization' scope. This disclosure persists even after an administrator has disabled the Organizations feature, allowing organization data to appear in tokens and possibly causing resource servers to make incorrect authorization decisions. The weakness is a flaw in authorization enforcement (CWE-863).

Affected Systems

The vulnerability affects Red Hat Build of Keycloak. No specific product versions are identified in the advisory; administrators should verify whether their deployed instances fall under the affected build.

Risk and Exploitability

The CVSS score of 4.3 indicates a moderate risk. EPSS is not available, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector requires the attacker to be an authenticated user who already has organization membership; no remote code execution or privilege escalation is involved. The exploitation pathway involves normal API interactions or OIDC token requests, making the flaw relatively low in operational difficulty but potentially significant if organization data is sensitive. Administrators should assess the likelihood of such an authenticated user and the impact of leaked metadata on their environment.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor	Product	Default status	Versions
Red Hat	Red Hat Build of Keycloak	affected	—

No data.

No data available yet.

Remediation

Vendor Workaround

Administrators should verify that disabling the Organizations feature properly blocks all organization-related functionality. Consider implementing additional access controls or removing organization memberships before disabling the feature.

OpenCVE Recommended Actions

Remove all organization memberships before disabling the Organizations feature in Keycloak
Verify that disabling the Organizations feature blocks all organization‑related functionality, including API responses and OIDC token claims
Implement additional access controls to restrict token exposure of organization metadata, such as limiting the 'organization' scope to trusted clients

Generated by OpenCVE AI on May 28, 2026 at 05:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://access.redhat.com/security/cve/CVE-2026-9791
https://bugzilla.redhat.com/show_bug.cgi?id=2482458

History

Thu, 28 May 2026 04:45:00 +0000

Type	Values Removed	Values Added
Description		A flaw was found in Keycloak. An authenticated user with existing organization membership can exploit this flaw by accessing user-facing APIs, such as the account API or by requesting an OpenID Connect (OIDC) token with the 'organization' scope. This allows organization metadata to be disclosed in tokens, even after an administrator has explicitly disabled the Organizations feature, potentially leading to incorrect authorization decisions by resource servers.
Title		Keycloak-rhel9: organization data leak after feature disabled in keycloak
First Time appeared		Redhat Redhat build Keycloak
Weaknesses		CWE-863
CPEs		cpe:/a:redhat:build_keycloak:
Vendors & Products		Redhat Redhat build Keycloak
References		https://access.redhat.com/security/cve/CVE-2026-9791 https://bugzilla.redhat.com/show_bug.cgi?id=2482458
Metrics		cvssV3_1 `{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}`

Subscriptions

Redhat Build Keycloak

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2026-05-28T03:27:08.241Z

Updated: 2026-05-28T03:44:12.464Z

Reserved: 2026-05-28T03:07:29.305Z

Link: CVE-2026-9791

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-28T05:16:39.977

Modified: 2026-05-28T05:16:39.977

Link: CVE-2026-9791

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-28T05:30:06Z

Weaknesses

CWE-863

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object