CVE-2026-9088 in Keycloak
Summary
by MITRE • 06/05/2026
A flaw was found in org.keycloak.services. An administrator with delegated access to read group memberships and users can bypass user profile permissions by accessing the group members endpoint. This allows the administrator to view user attributes that are explicitly configured to be denied, leading to information disclosure.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 06/05/2026
This vulnerability resides within the keycloak identity and access management platform, specifically affecting the user profile permissions system. The flaw manifests as a privilege escalation issue that allows malicious administrators with limited delegated access to bypass intended security controls. According to the vulnerability description, an administrator who has been granted permissions to read group memberships and users can exploit this weakness to access user attributes that should be explicitly restricted or denied. The vulnerability operates at the application layer and represents a critical breakdown in the principle of least privilege enforcement within the Keycloak service architecture. The technical implementation appears to lack proper authorization checks when accessing the group members endpoint, allowing unauthorized data exposure through a path that should be restricted based on user profile configurations.
The operational impact of this vulnerability extends beyond simple information disclosure, as it fundamentally undermines the security model of the Keycloak platform. An attacker with the specific delegated permissions can potentially access sensitive user attributes that are explicitly configured to be denied access, creating a significant data exposure risk. This type of vulnerability aligns with CWE-284 Access Control Issues, specifically relating to inadequate access control mechanisms that permit unauthorized access to protected resources. The flaw demonstrates a failure in the authorization enforcement point within the Keycloak service, where the system should be validating that the requesting administrator has appropriate permissions for all attributes being accessed, regardless of the endpoint used. This vulnerability can be categorized under ATT&CK technique T1078 Valid Accounts, as it exploits legitimate administrative permissions to gain unauthorized access to restricted information.
Mitigation strategies should focus on implementing comprehensive access control validation at all service endpoints within the Keycloak platform. Organizations should immediately review and restrict the delegated permissions assigned to administrators, ensuring that no administrator has both read group memberships and user access that could enable this bypass. The system should enforce strict attribute-level access control checks regardless of the endpoint accessed, requiring administrators to have explicit permissions for all user attributes they attempt to view. Security teams should implement monitoring and logging of access patterns to detect anomalous behavior that might indicate exploitation attempts. Additionally, administrators should be educated about the risks of granting broad permissions and the importance of following the principle of least privilege. The vulnerability highlights the critical need for proper authorization enforcement across all API endpoints and suggests that Keycloak administrators should consider implementing additional security controls or patches that specifically address this type of access control bypass scenario.