4.9

CVE-2026-9083

Keycloak: keycloak: information disclosure through arbitrary filesystem path probing

Information disclosure through arbitrary filesystem path probing

A flaw was found in Keycloak. A realm administrator with the "manage-realm" role can exploit this vulnerability by submitting an arbitrary filesystem path as a keystore parameter when creating a key provider component. This allows the administrator to probe arbitrary filesystem paths, determining which files exist and are readable by the Keycloak process. This information disclosure could be used to identify high-value targets for follow-on attacks.
Mögliche Gegenmaßnahme
Keycloak Server: Install latest version
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
RedhatBuild Of Keycloak Version >= 26.4 < 26.4.13
RedhatBuild Of Keycloak Version >= 26.6 < 26.6.4
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Weitere Schwachstelleninformationen
SystemKeycloak
Produkt Keycloak Server
Version < 26.6.4
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.52% 0.402
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
secalert@redhat.com 4.9 1.2 3.6
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

https://access.redhat.com/security/cve/CVE-2026-9083
Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2480168
Third Party Advisory
https://access.redhat.com/errata/RHSA-2026:30083
Third Party Advisory
https://access.redhat.com/errata/RHSA-2026:30084
Third Party Advisory
https://access.redhat.com/errata/RHSA-2026:30049
Third Party Advisory
https://access.redhat.com/errata/RHSA-2026:30050
Third Party Advisory
https://github.com/keycloak/keycloak/security/advisories/GHSA-9jrw-8xf7-xqhq
Third Party Advisory