CVE-2026-16108 in Keycloakinfo

Summary

by MITRE • 07/17/2026

A flaw was found in the default-groups REST endpoint and realm representation of Keycloak. This component is responsible for managing groups that are automatically assigned to new users within a realm. The issue allows a delegated administrator with realm-viewing permissions to see the names and identifiers of hidden default groups, even if they lack the specific permissions to view those groups. This can lead to the exposure of sensitive organizational structures or internal group names.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 07/17/2026

This vulnerability exists within Keycloak's default-groups REST endpoint and realm representation functionality, which governs the automatic assignment of groups to new users within a security realm. The flaw represents a privilege escalation issue that undermines the principle of least privilege by allowing unauthorized access to hidden administrative resources. Attackers with merely realm-viewing permissions can exploit this weakness to discover the names and identifiers of default groups that should remain concealed from standard administrators. This exposure occurs through improper access control enforcement at the REST API level where the system fails to properly validate user permissions before returning group membership information.

The technical implementation flaw stems from inadequate authorization checks within Keycloak's access control model, specifically in how it handles group visibility permissions for delegated administrators. When a user with realm-viewing privileges accesses the default-groups endpoint, the system returns group identifiers and names without performing proper permission verification against the specific group-viewing capabilities. This represents a classic case of insufficient authorization validation where the system assumes that users with broader realm access should automatically have access to all associated group information regardless of explicit group-level permissions. The vulnerability aligns with CWE-284, which addresses improper access control issues in software systems.

The operational impact of this vulnerability extends beyond simple information disclosure, as it can reveal critical organizational structures and internal naming conventions that adversaries might leverage for further attacks. Hidden default groups often contain sensitive metadata about organizational hierarchy, business units, or security classifications that should remain confidential to prevent targeted attacks. An attacker could use this information to craft more sophisticated social engineering campaigns or identify potential attack vectors within the organization's security infrastructure. The exposure of group identifiers may also enable enumeration attacks against other systems that rely on similar naming conventions, creating additional attack surfaces.

Organizations should implement immediate mitigations including updating Keycloak to versions that address this specific authorization flaw, implementing stricter access control policies for delegated administrators, and conducting comprehensive audits of group permissions within their Keycloak realms. Security teams must review existing default-group configurations to ensure that sensitive organizational information is properly protected through appropriate permission controls. Additional monitoring should be implemented to detect unauthorized access attempts to default-groups endpoints, particularly from users with only realm-viewing permissions. This vulnerability demonstrates the importance of maintaining granular access controls and proper permission boundaries within identity management systems, aligning with ATT&CK technique T1078 which covers valid accounts and privilege escalation through access control violations.

Responsible

Redhat

Reservation

07/17/2026

Disclosure

07/17/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!