CVE-2026-16072 in Keycloakinfo

Summary

by MITRE • 07/17/2026

A flaw was found in the organization management component of Keycloak. A delegated administrator with permission to manage organizations can create an invitation for a non-existent email address and then retrieve the secret registration link directly through the application programming interface. By using this link, the administrator can create new user accounts and add them to the organization without having the required user management permissions or access to the invited email account. This allows an administrator to bypass security boundaries and add unauthorized members to an organization.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 07/17/2026

This vulnerability resides within Keycloak's organization management component and represents a critical authorization bypass flaw that undermines the security model of delegated administrative privileges. The issue stems from insufficient validation of email addresses during the invitation creation process, allowing malicious administrators to generate registration links for non-existent email addresses without proper user management permissions. This weakness enables unauthorized account creation and organization membership addition, effectively circumventing the intended access controls that should prevent such actions.

The technical implementation flaw manifests in the API endpoint responsible for handling organization invitations, where input validation occurs too late in the process or not at all for email address verification. When a delegated administrator creates an invitation, the system accepts any email address format without confirming its existence or validity within the organization's context. The subsequent retrieval of secret registration links through direct API access demonstrates that the system fails to enforce proper authentication and authorization checks during the registration link generation phase.

From an operational perspective, this vulnerability allows attackers with delegated administrator privileges to escalate their access rights beyond what was originally intended. The attacker can create new user accounts and associate them with the organization without requiring additional permissions or having access to the target email addresses, effectively bypassing security boundaries that should protect against unauthorized membership additions. This represents a significant compromise of the principle of least privilege and could enable insider threats to expand their influence within the system.

The vulnerability aligns with CWE-284 Access Control Issues and follows ATT&CK technique T1078 Valid Accounts by enabling unauthorized account creation through legitimate administrative interfaces. Organizations may experience unauthorized user proliferation within their Keycloak environments, potentially leading to data exposure or privilege escalation attacks that could compromise entire organization structures. The impact is particularly severe because it allows bypassing the email verification process that typically serves as a security boundary for user onboarding.

Mitigation strategies should focus on implementing strict email validation during invitation creation and enforcing proper authorization checks throughout the registration link generation process. Organizations must ensure that API endpoints validate email addresses against existing user databases or implement proper access controls that prevent unauthorized account creation regardless of administrative delegation level. Additionally, monitoring and logging of organization membership changes should be enhanced to detect suspicious activities such as bulk user additions or registrations using non-existent email addresses, providing visibility into potential exploitation attempts.

Responsible

Redhat

Reservation

07/17/2026

Disclosure

07/17/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!