2482464 – (CVE-2026-9796) CVE-2026-9796 keycloak: Keycloak: Privilege escalation via Time-of-Check to Time-of-Use (TOCTOU) vulnerability

Bug 2482464 (CVE-2026-9796) - CVE-2026-9796 keycloak: Keycloak: Privilege escalation via Time-of-Check to Time-of-Use (TOCTOU) vulnerability

Summary: CVE-2026-9796 keycloak: Keycloak: Privilege escalation via Time-of-Check to T...

Keywords:
Status:	NEW
Alias:	CVE-2026-9796
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2026-05-28 03:33 UTC by OSIDB Bzimport
Modified:	2026-05-28 04:23 UTC (History)
CC List:	10 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-05-28 03:33:30 UTC

A flaw was found in Keycloak. An authenticated administrator with the `manage-clients` role can exploit a Time-of-check to time-of-use (TOCTOU) vulnerability in the name-based admin role checks. This allows the attacker to escalate their privileges to `realm-admin` for all users within the realm, granting them extensive control over the system. The composite role relationship persists even after the attacker's own permissions are revoked and across system reboots.

Note You need to log in before you can comment on or make changes to this bug.