2480179 – (CVE-2026-9088) CVE-2026-9088 keycloak: Keycloak: Information disclosure due to user profile permission bypass

Bug 2480179 (CVE-2026-9088) - CVE-2026-9088 keycloak: Keycloak: Information disclosure due to user profile permission bypass

Summary: CVE-2026-9088 keycloak: Keycloak: Information disclosure due to user profile ...

Keywords:
Status:	NEW
Alias:	CVE-2026-9088
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2026-05-20 15:02 UTC by OSIDB Bzimport
Modified:	2026-06-05 07:46 UTC (History)
CC List:	11 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-05-20 15:02:48 UTC

A flaw was found in org.keycloak.services. An administrator with delegated access to read group memberships and users can bypass user profile permissions by accessing the group members endpoint. This allows the administrator to view user attributes that are explicitly configured to be denied, leading to information disclosure.

Note You need to log in before you can comment on or make changes to this bug.