Home

Description

A flaw was found in Keycloak. An authenticated user with existing organization membership can exploit this flaw by accessing user-facing APIs, such as the account API or by requesting an OpenID Connect (OIDC) token with the 'organization' scope. This allows organization metadata to be disclosed in tokens, even after an administrator has explicitly disabled the Organizations feature, potentially leading to incorrect authorization decisions by resource servers.

PUBLISHED Reserved 2026-05-28 | Published 2026-05-28 | Updated 2026-05-28 | Assigner redhat




MEDIUM: 4.3CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Problem types

Incorrect Authorization

Product status

Default status
affected

Timeline

2026-05-28:Reported to Red Hat.
2026-05-28:Made public.

Credits

Red Hat would like to thank Evan Hendra (Independent Security Researcher) for reporting this issue.

References

access.redhat.com/security/cve/CVE-2026-9791 vdb-entry

bugzilla.redhat.com/show_bug.cgi?id=2482458 (RHBZ#2482458) issue-tracking

cve.org (CVE-2026-9791)

nvd.nist.gov (CVE-2026-9791)

Download JSON