2.7
CVE-2026-9088
- EPSS 0.35%
- Veröffentlicht 05.06.2026 07:52:52
- Zuletzt bearbeitet 26.06.2026 08:16:26
- Quelle secalert@redhat.com
- CVE-Watchlists
- Unerledigt
Keycloak: keycloak: information disclosure due to user profile permission bypass
A flaw was found in org.keycloak.services. An administrator with delegated access to read group memberships and users can bypass user profile permissions by accessing the group members endpoint. This allows the administrator to view user attributes that are explicitly configured to be denied, leading to information disclosure.
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
HerstellerRed Hat
≫
Produkt
Red Hat build of Keycloak 26.4
Default Statusaffected
Version
26.4.13-1
Version <
*
Status
unaffected
HerstellerRed Hat
≫
Produkt
Red Hat build of Keycloak 26.4
Default Statusaffected
Version
26.4-19
Version <
*
Status
unaffected
HerstellerRed Hat
≫
Produkt
Red Hat build of Keycloak 26.4
Default Statusaffected
Version
26.4-19
Version <
*
Status
unaffected
HerstellerRed Hat
≫
Produkt
Red Hat build of Keycloak 26.4.13
Default Statusunaffected
HerstellerRed Hat
≫
Produkt
Red Hat build of Keycloak 26.6
Default Statusaffected
Version
26.6.3-3
Version <
*
Status
unaffected
HerstellerRed Hat
≫
Produkt
Red Hat build of Keycloak 26.6
Default Statusaffected
Version
26.6-6
Version <
*
Status
unaffected
HerstellerRed Hat
≫
Produkt
Red Hat build of Keycloak 26.6
Default Statusaffected
Version
26.6-6
Version <
*
Status
unaffected
HerstellerRed Hat
≫
Produkt
Red Hat build of Keycloak 26.6.3
Default Statusunaffected
VulnDex Vulnerability Enrichment
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.35% | 0.267 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| secalert@redhat.com | 2.7 | 1.2 | 1.4 |
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
|
CWE-1220 Insufficient Granularity of Access Control
The product implements access controls via a policy or other feature with the intention to disable or restrict accesses (reads and/or writes) to assets in a system from untrusted agents. However, implemented access controls lack required granularity, which renders the control policy too broad because it allows accesses from unauthorized agents to the security-sensitive assets.
https://access.redhat.com/security/cve/CVE-2026-9088
https://bugzilla.redhat.com/show_bug.cgi?id=2480179
https://access.redhat.com/errata/RHSA-2026:25098
https://access.redhat.com/errata/RHSA-2026:25097
https://access.redhat.com/errata/RHSA-2026:30049
https://access.redhat.com/errata/RHSA-2026:30050