Bug 2439081 (CVE-2026-2366)
| Summary: | CVE-2026-2366 keycloak: Keycloak: Information disclosure via authorization bypass in Admin API | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | OSIDB Bzimport <bzimport> |
| Component: | vulnerability | Assignee: | Product Security DevOps Team <prodsec-dev> |
| Status: | NEW --- | QA Contact: | |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | unspecified | CC: | aschwart, boliveir, mposolda, pjindal, rmartinc, ssilvert, sthorger, vmuzikar |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | --- | |
| Doc Text: |
A flaw was found in Keycloak. An authorization bypass vulnerability in the Keycloak Admin API allows any authenticated user, even those without administrative privileges, to enumerate the organization memberships of other users. This information disclosure occurs if the attacker knows the victim's unique identifier (UUID) and the Organizations feature is enabled.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Summary An authorization bypass exists in the Keycloak Admin API where the endpoint /admin/realms/ {realm}/organizations/members/{member-id}/organizations fails to perform necessary permission checks. This allows any authenticated user, regardless of their roles or administrative privileges, to enumerate the organization memberships of any other user if their unique identifier (UUID) is known. Requirements to exploit * The Organizations feature must be enabled (which is the default in recent versions). * The attacker must possess a valid access token for the realm. * The attacker must know the UUID of the victim user. Component affected org.keycloak.services.resources.admin.organizations Version affected: 26.5.1 Patch available: No CVSS: 3.1 (Low) CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N Embargo: No Acknowledgement: Reynaldo Immanuel, Joy Gilbert Steps to reproduce # Enable the Organizations feature and create multiple organizations (e.g., orgA, orgB). # Create a victim user and assign them to several organizations # Create a low-privileged "attacker" user with no administrative roles. # Obtain an OIDC access token for the low-privileged user. # Execute a GET request to /admin/realms/{realm} /organizations/members/ {victim-id} /organizations using the low-privileged token. Observe that the server returns a 200 OK response containing a full list of the victim's organization memberships instead of the expected 403 Forbidden.