Description
A flaw was found in Keycloak. An authenticated administrator with the `manage-clients` role can exploit a Time-of-check to time-of-use (TOCTOU) vulnerability in the name-based admin role checks. This allows the attacker to escalate their privileges to `realm-admin` for all users within the realm, granting them extensive control over the system. The composite role relationship persists even after the attacker's own permissions are revoked and across system reboots.
Published: 2026-05-28
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An authenticated administrator holding the manage-clients role can exploit a time‑of‑check to time‑of‑use flaw in Keycloak’s name‑based admin role checks. The flaw allows the attacker to elevate privileges to realm‑admin for every user in the realm, providing extensive control over the system. The escalated privilege persists even after the attacker’s original permissions are removed and across system reboots.

Affected Systems

Red Hat Build of Keycloak is affected. No specific version range is listed in the CNA data, so all supported releases at the time of the advisory may be vulnerable until patched.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity, but the vulnerability enables broad privilege escalation, which is a high‑impact outcome. EPSS is not available, so the current exploitation likelihood is unknown, and the CVE is not listed in the CISA KEV catalog. The attack requires authenticated access with the manage‑clients role, so it is an internal threat vector that could be used by privileged users or those who compromise such accounts. The flaw remains even after revocation or system reboots, making it particularly dangerous if not mitigated.

Generated by OpenCVE AI on May 28, 2026 at 05:20 UTC.

Remediation

Vendor Workaround

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.

OpenCVE Recommended Actions

  • Upgrade to a Red Hat Build of Keycloak release that contains the TOCTOU fix for this CVE.
  • Limit the assignment of the manage‑clients role to a minimal, trusted set of users and remove it from accounts that do not require it.
  • Enable and monitor Keycloak audit logs for unexpected role changes or privilege escalations to detect exploitation early.

Generated by OpenCVE AI on May 28, 2026 at 05:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 30 May 2026 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Redhat keycloak
Vendors & Products Redhat keycloak

Thu, 28 May 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 28 May 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Thu, 28 May 2026 04:45:00 +0000

Type Values Removed Values Added
Description A flaw was found in Keycloak. An authenticated administrator with the `manage-clients` role can exploit a Time-of-check to time-of-use (TOCTOU) vulnerability in the name-based admin role checks. This allows the attacker to escalate their privileges to `realm-admin` for all users within the realm, granting them extensive control over the system. The composite role relationship persists even after the attacker's own permissions are revoked and across system reboots.
Title Keycloak: keycloak: privilege escalation via time-of-check to time-of-use (toctou) vulnerability
First Time appeared Redhat
Redhat build Keycloak
Weaknesses CWE-367
CPEs cpe:/a:redhat:build_keycloak:
Vendors & Products Redhat
Redhat build Keycloak
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Redhat Build Keycloak Keycloak
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-05-28T12:16:58.840Z

Reserved: 2026-05-28T03:31:58.205Z

Link: CVE-2026-9796

cve-icon Vulnrichment

Updated: 2026-05-28T12:16:54.515Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-05-28T05:16:41.153

Modified: 2026-05-28T13:44:54.327

Link: CVE-2026-9796

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-28T03:32:50Z

Links: CVE-2026-9796 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-30T21:19:24Z

Weaknesses