CVE-2026-2366 | THREATINT

Description

A flaw was found in Keycloak. An authorization bypass vulnerability in the Keycloak Admin API allows any authenticated user, even those without administrative privileges, to enumerate the organization memberships of other users. This information disclosure occurs if the attacker knows the victim's unique identifier (UUID) and the Organizations feature is enabled.

PUBLISHED Reserved 2026-02-11 | Published 2026-03-12 | Updated 2026-03-12 | Assigner redhat

LOW: 3.1CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

Problem types

Authorization Bypass Through User-Controlled Key

Product status

Default status

affected

Timeline

2026-02-11:	Reported to Red Hat.
2026-02-11:	Made public.

Credits

Red Hat would like to thank Joy Gilbert and Reynaldo Immanuel for reporting this issue.

References

access.redhat.com/security/cve/CVE-2026-2366 vdb-entry

bugzilla.redhat.com/show_bug.cgi?id=2439081 (RHBZ#2439081) issue-tracking

cve.org (CVE-2026-2366)

nvd.nist.gov (CVE-2026-2366)

Download JSON