<Vulnerability name="CVE-2026-9083">
    <DocumentDistribution xml:lang="en">Copyright © 2012 Red Hat, Inc. All rights reserved.</DocumentDistribution>
    <ThreatSeverity>Moderate</ThreatSeverity>
    <PublicDate>2026-06-25T15:58:16</PublicDate>
    <Bugzilla id="2480168" url="https://bugzilla.redhat.com/show_bug.cgi?id=2480168" xml:lang="en:us">
keycloak: Keycloak: Information disclosure through arbitrary filesystem path probing
    </Bugzilla>
    <CVSS3 status="verified">
        <CVSS3BaseScore>4.9</CVSS3BaseScore>
        <CVSS3ScoringVector>CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N</CVSS3ScoringVector>
    </CVSS3>
    <CWE>CWE-22</CWE>
    <Details xml:lang="en:us" source="Mitre">
A flaw was found in Keycloak. A realm administrator with the "manage-realm" role can exploit this vulnerability by submitting an arbitrary filesystem path as a keystore parameter when creating a key provider component. This allows the administrator to probe arbitrary filesystem paths, determining which files exist and are readable by the Keycloak process. This information disclosure could be used to identify high-value targets for follow-on attacks.
    </Details>
    <Details xml:lang="en:us" source="Red Hat">
A flaw was found in Keycloak. A realm administrator with the "manage-realm" role can exploit this vulnerability by submitting an arbitrary filesystem path as a keystore parameter when creating a key provider component. This allows the administrator to probe arbitrary filesystem paths, determining which files exist and are readable by the Keycloak process. This information disclosure could be used to identify high-value targets for follow-on attacks.
    </Details>
    <Statement xml:lang="en:us">
Medium: This flaw in Keycloak allows a highly privileged realm administrator with the "manage-realm" role to perform arbitrary filesystem path probing. By submitting a crafted keystore path, an authenticated attacker can determine the existence and readability of files on the Keycloak server, potentially identifying high-value targets for further attacks. Exploitation requires an attacker to possess the "manage-realm" role, which is a high-level administrative permission.
    </Statement>
    <Acknowledgement xml:lang="en:us">
Red Hat would like to thank Swapnil Paliwal &amp; Security Team (AxiomCode) for reporting this issue.
    </Acknowledgement>
    <Mitigation xml:lang="en:us">
Ensure that only highly trusted administrators are granted the "manage-realm" role within Keycloak. This role provides extensive administrative privileges, including the ability to exploit this vulnerability for filesystem probing. Regularly review and audit users assigned to this role to minimize the attack surface.
    </Mitigation>
    <AffectedRelease cpe="cpe:/a:redhat:build_keycloak:26.4::el9">
        <ProductName>Red Hat build of Keycloak 26.4</ProductName>
        <ReleaseDate>2026-06-25T00:00:00Z</ReleaseDate>
        <Advisory type="RHSA" url="https://access.redhat.com/errata/RHSA-2026:30050">RHSA-2026:30050</Advisory>
        <Package name="rhbk/keycloak-operator-bundle">rhbk/keycloak-operator-bundle:26.4.13-1</Package>
    </AffectedRelease>
    <AffectedRelease cpe="cpe:/a:redhat:build_keycloak:26.4::el9">
        <ProductName>Red Hat build of Keycloak 26.4</ProductName>
        <ReleaseDate>2026-06-25T00:00:00Z</ReleaseDate>
        <Advisory type="RHSA" url="https://access.redhat.com/errata/RHSA-2026:30050">RHSA-2026:30050</Advisory>
        <Package name="rhbk/keycloak-rhel9">rhbk/keycloak-rhel9:26.4-19</Package>
    </AffectedRelease>
    <AffectedRelease cpe="cpe:/a:redhat:build_keycloak:26.4::el9">
        <ProductName>Red Hat build of Keycloak 26.4</ProductName>
        <ReleaseDate>2026-06-25T00:00:00Z</ReleaseDate>
        <Advisory type="RHSA" url="https://access.redhat.com/errata/RHSA-2026:30050">RHSA-2026:30050</Advisory>
        <Package name="rhbk/keycloak-rhel9-operator">rhbk/keycloak-rhel9-operator:26.4-19</Package>
    </AffectedRelease>
    <AffectedRelease cpe="cpe:/a:redhat:build_keycloak:26.4::el9">
        <ProductName>Red Hat build of Keycloak 26.4.13</ProductName>
        <ReleaseDate>2026-06-25T00:00:00Z</ReleaseDate>
        <Advisory type="RHSA" url="https://access.redhat.com/errata/RHSA-2026:30049">RHSA-2026:30049</Advisory>
        <Package name="rhbk/keycloak-rhel9">rhbk/keycloak-rhel9</Package>
    </AffectedRelease>
    <AffectedRelease cpe="cpe:/a:redhat:build_keycloak:26.6::el9">
        <ProductName>Red Hat build of Keycloak 26.6</ProductName>
        <ReleaseDate>2026-06-25T00:00:00Z</ReleaseDate>
        <Advisory type="RHSA" url="https://access.redhat.com/errata/RHSA-2026:30084">RHSA-2026:30084</Advisory>
        <Package name="rhbk/keycloak-operator-bundle">rhbk/keycloak-operator-bundle:26.6.4-2</Package>
    </AffectedRelease>
    <AffectedRelease cpe="cpe:/a:redhat:build_keycloak:26.6::el9">
        <ProductName>Red Hat build of Keycloak 26.6</ProductName>
        <ReleaseDate>2026-06-25T00:00:00Z</ReleaseDate>
        <Advisory type="RHSA" url="https://access.redhat.com/errata/RHSA-2026:30084">RHSA-2026:30084</Advisory>
        <Package name="rhbk/keycloak-rhel9">rhbk/keycloak-rhel9:26.6-8</Package>
    </AffectedRelease>
    <AffectedRelease cpe="cpe:/a:redhat:build_keycloak:26.6::el9">
        <ProductName>Red Hat build of Keycloak 26.6</ProductName>
        <ReleaseDate>2026-06-25T00:00:00Z</ReleaseDate>
        <Advisory type="RHSA" url="https://access.redhat.com/errata/RHSA-2026:30084">RHSA-2026:30084</Advisory>
        <Package name="rhbk/keycloak-rhel9-operator">rhbk/keycloak-rhel9-operator:26.6-8</Package>
    </AffectedRelease>
    <AffectedRelease cpe="cpe:/a:redhat:build_keycloak:26.6::el9">
        <ProductName>Red Hat build of Keycloak 26.6.4</ProductName>
        <ReleaseDate>2026-06-25T00:00:00Z</ReleaseDate>
        <Advisory type="RHSA" url="https://access.redhat.com/errata/RHSA-2026:30083">RHSA-2026:30083</Advisory>
        <Package name="rhbk/keycloak-rhel9">rhbk/keycloak-rhel9</Package>
    </AffectedRelease>
    <References xml:lang="en:us">
https://www.cve.org/CVERecord?id=CVE-2026-9083
https://nvd.nist.gov/vuln/detail/CVE-2026-9083
    </References>
</Vulnerability>