Copyright © 2012 Red Hat, Inc. All rights reserved. Low 2026-06-05T07:45:40 keycloak: Keycloak: Information disclosure due to user profile permission bypass 2.7 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N CWE-1220

A flaw was found in org.keycloak.services. An administrator with delegated access to read group memberships and users can bypass user profile permissions by accessing the group members endpoint. This allows the administrator to view user attributes that are explicitly configured to be denied, leading to information disclosure.

Low: A flaw in Keycloak allows administrators with delegated access to read group memberships and users to bypass user profile permissions. This enables the viewing of user attributes that are configured to be denied, impacting data confidentiality for specific administrative roles. Red Hat would like to thank Hadley So for reporting this issue. Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability. Red Hat build of Keycloak 26.6 2026-06-10T00:00:00Z RHSA-2026:25097 rhbk/keycloak-operator-bundle:26.6.3-3 Red Hat build of Keycloak 26.6 2026-06-10T00:00:00Z RHSA-2026:25097 rhbk/keycloak-rhel9:26.6-6 Red Hat build of Keycloak 26.6 2026-06-10T00:00:00Z RHSA-2026:25097 rhbk/keycloak-rhel9-operator:26.6-6 Red Hat build of Keycloak 26.6.3 2026-06-10T00:00:00Z RHSA-2026:25098 rhbk/keycloak-rhel9 https://www.cve.org/CVERecord?id=CVE-2026-9088 https://nvd.nist.gov/vuln/detail/CVE-2026-9088