CVE-2026-9088 | THREATINT

Description

A flaw was found in org.keycloak.services. An administrator with delegated access to read group memberships and users can bypass user profile permissions by accessing the group members endpoint. This allows the administrator to view user attributes that are explicitly configured to be denied, leading to information disclosure.

PUBLISHED Reserved 2026-05-20 | Published 2026-06-05 | Updated 2026-06-05 | Assigner redhat

LOW: 2.7CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N

Problem types

Insufficient Granularity of Access Control

Product status

Default status

affected

Timeline

2026-05-20:	Reported to Red Hat.
2026-06-05:	Made public.

Credits

Red Hat would like to thank Hadley So for reporting this issue.

References

access.redhat.com/security/cve/CVE-2026-9088 vdb-entry

bugzilla.redhat.com/show_bug.cgi?id=2480179 (RHBZ#2480179) issue-tracking

cve.org (CVE-2026-9088)

nvd.nist.gov (CVE-2026-9088)

Download JSON