<Vulnerability name="CVE-2026-9099">
    <DocumentDistribution xml:lang="en">Copyright © 2012 Red Hat, Inc. All rights reserved.</DocumentDistribution>
    <ThreatSeverity>Important</ThreatSeverity>
    <PublicDate>2026-06-25T15:58:51</PublicDate>
    <Bugzilla id="2480182" url="https://bugzilla.redhat.com/show_bug.cgi?id=2480182" xml:lang="en:us">
keycloak: Group-Admin Escalation to Realm-Admin
    </Bugzilla>
    <CVSS3 status="verified">
        <CVSS3BaseScore>7.7</CVSS3BaseScore>
        <CVSS3ScoringVector>CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:N</CVSS3ScoringVector>
    </CVSS3>
    <CWE>CWE-639</CWE>
    <Details xml:lang="en:us" source="Mitre">
A flaw was found in Keycloak. A missing authorization check in the GroupResource.addChild() endpoint within the Admin REST API allows an authenticated user with limited administrative privileges to reparent any existing group. When Fine-Grained Admin Permissions v2 (FGAPv2) is enabled, an attacker with management rights over a single low-privilege group can reparent a highly privileged group (such as one possessing the realm-admin role) under their managed group.

Because group permissions follow a hierarchical structure, this action unauthorizedly grants the attacker management and password-reset capabilities over the members of the targeted privileged group. An attacker can exploit this to reset an administrator's password, compromise the account, and achieve a full realm takeover, leading to a complete compromise of confidentiality, integrity, and availability.
    </Details>
    <Details xml:lang="en:us" source="Red Hat">
A flaw was found in Keycloak. A missing authorization check in the GroupResource.addChild() endpoint within the Admin REST API allows an authenticated user with limited administrative privileges to reparent any existing group. When Fine-Grained Admin Permissions v2 (FGAPv2) is enabled, an attacker with management rights over a single low-privilege group can reparent a highly privileged group (such as one possessing the realm-admin role) under their managed group.

Because group permissions follow a hierarchical structure, this action unauthorizedly grants the attacker management and password-reset capabilities over the members of the targeted privileged group. An attacker can exploit this to reset an administrator's password, compromise the account, and achieve a full realm takeover, leading to a complete compromise of confidentiality, integrity, and availability.
    </Details>
    <Statement xml:lang="en:us">
This vulnerability is rated as High impact. When Fine-Grained Admin Permissions (FGAPv2) are enabled in Keycloak, a delegated administrator with specific `manage-members` permissions on a low-privilege group can bypass authorization checks to reparent any other group, including those with `realm-admin` roles. This allows the attacker to reset passwords of members in the stolen group, leading to a full realm takeover.
    </Statement>
    <Mitigation xml:lang="en:us">
To mitigate this issue, restrict network access to the Keycloak Admin REST API to only trusted networks or localhost. This limits the attack surface by preventing unauthorized access to the API endpoints required for exploitation. Consult your network security documentation for specific firewall or network access control configurations. This may impact remote administration capabilities.
    </Mitigation>
    <AffectedRelease cpe="cpe:/a:redhat:build_keycloak:26.4::el9">
        <ProductName>Red Hat build of Keycloak 26.4</ProductName>
        <ReleaseDate>2026-06-25T00:00:00Z</ReleaseDate>
        <Advisory type="RHSA" url="https://access.redhat.com/errata/RHSA-2026:30050">RHSA-2026:30050</Advisory>
        <Package name="rhbk/keycloak-operator-bundle">rhbk/keycloak-operator-bundle:26.4.13-1</Package>
    </AffectedRelease>
    <AffectedRelease cpe="cpe:/a:redhat:build_keycloak:26.4::el9">
        <ProductName>Red Hat build of Keycloak 26.4</ProductName>
        <ReleaseDate>2026-06-25T00:00:00Z</ReleaseDate>
        <Advisory type="RHSA" url="https://access.redhat.com/errata/RHSA-2026:30050">RHSA-2026:30050</Advisory>
        <Package name="rhbk/keycloak-rhel9">rhbk/keycloak-rhel9:26.4-19</Package>
    </AffectedRelease>
    <AffectedRelease cpe="cpe:/a:redhat:build_keycloak:26.4::el9">
        <ProductName>Red Hat build of Keycloak 26.4</ProductName>
        <ReleaseDate>2026-06-25T00:00:00Z</ReleaseDate>
        <Advisory type="RHSA" url="https://access.redhat.com/errata/RHSA-2026:30050">RHSA-2026:30050</Advisory>
        <Package name="rhbk/keycloak-rhel9-operator">rhbk/keycloak-rhel9-operator:26.4-19</Package>
    </AffectedRelease>
    <AffectedRelease cpe="cpe:/a:redhat:build_keycloak:26.4::el9">
        <ProductName>Red Hat build of Keycloak 26.4.13</ProductName>
        <ReleaseDate>2026-06-25T00:00:00Z</ReleaseDate>
        <Advisory type="RHSA" url="https://access.redhat.com/errata/RHSA-2026:30049">RHSA-2026:30049</Advisory>
        <Package name="rhbk/keycloak-rhel9">rhbk/keycloak-rhel9</Package>
    </AffectedRelease>
    <AffectedRelease cpe="cpe:/a:redhat:build_keycloak:26.6::el9">
        <ProductName>Red Hat build of Keycloak 26.6</ProductName>
        <ReleaseDate>2026-06-25T00:00:00Z</ReleaseDate>
        <Advisory type="RHSA" url="https://access.redhat.com/errata/RHSA-2026:30084">RHSA-2026:30084</Advisory>
        <Package name="rhbk/keycloak-operator-bundle">rhbk/keycloak-operator-bundle:26.6.4-2</Package>
    </AffectedRelease>
    <AffectedRelease cpe="cpe:/a:redhat:build_keycloak:26.6::el9">
        <ProductName>Red Hat build of Keycloak 26.6</ProductName>
        <ReleaseDate>2026-06-25T00:00:00Z</ReleaseDate>
        <Advisory type="RHSA" url="https://access.redhat.com/errata/RHSA-2026:30084">RHSA-2026:30084</Advisory>
        <Package name="rhbk/keycloak-rhel9">rhbk/keycloak-rhel9:26.6-8</Package>
    </AffectedRelease>
    <AffectedRelease cpe="cpe:/a:redhat:build_keycloak:26.6::el9">
        <ProductName>Red Hat build of Keycloak 26.6</ProductName>
        <ReleaseDate>2026-06-25T00:00:00Z</ReleaseDate>
        <Advisory type="RHSA" url="https://access.redhat.com/errata/RHSA-2026:30084">RHSA-2026:30084</Advisory>
        <Package name="rhbk/keycloak-rhel9-operator">rhbk/keycloak-rhel9-operator:26.6-8</Package>
    </AffectedRelease>
    <AffectedRelease cpe="cpe:/a:redhat:build_keycloak:26.6::el9">
        <ProductName>Red Hat build of Keycloak 26.6.4</ProductName>
        <ReleaseDate>2026-06-25T00:00:00Z</ReleaseDate>
        <Advisory type="RHSA" url="https://access.redhat.com/errata/RHSA-2026:30083">RHSA-2026:30083</Advisory>
        <Package name="rhbk/keycloak-rhel9">rhbk/keycloak-rhel9</Package>
    </AffectedRelease>
    <References xml:lang="en:us">
https://www.cve.org/CVERecord?id=CVE-2026-9099
https://nvd.nist.gov/vuln/detail/CVE-2026-9099
    </References>
</Vulnerability>