CVE-2026-9791— Keycloak-rhel9: organization data leak after feature disabled in keycloak
Affected Version Matrix 4
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Red Hat | Red Hat build of Keycloak 26.6 | 26.6.3-3< * | unaffected |
26.6-6< * | unaffected | ||
26.6-6< * | unaffected | ||
| Red Hat | Red Hat build of Keycloak 26.6.3 | any | unaffected |
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-9791
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Keycloak-rhel9: organization data leak after feature disabled in keycloak
Source: NVD (National Vulnerability Database)
Vulnerability Description
A flaw was found in Keycloak. An authenticated user with existing organization membership can exploit this flaw by accessing user-facing APIs, such as the account API or by requesting an OpenID Connect (OIDC) token with the 'organization' scope. This allows organization metadata to be disclosed in tokens, even after an administrator has explicitly disabled the Organizations feature, potentially leading to incorrect authorization decisions by resource servers.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
授权机制不正确
Source: NVD (National Vulnerability Database)
Vulnerability Title
Keycloak 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Keycloak是Keycloak开源的一种开源身份和访问管理解决方案。 Keycloak存在安全漏洞,该漏洞源于经过身份验证且具有现有组织成员资格的用户可通过访问面向用户的API或请求带有organization范围的OpenID Connect令牌来利用此漏洞,可能导致即使在管理员明确禁用组织功能后,组织元数据仍在令牌中泄露,从而导致资源服务器做出错误的授权决策。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| Red Hat | Red Hat build of Keycloak 26.6 | 26.6.3-3 ~ * | cpe:/a:redhat:build_keycloak:26.6::el9 | |
| Red Hat | Red Hat build of Keycloak 26.6 | 26.6-6 ~ * | cpe:/a:redhat:build_keycloak:26.6::el9 | |
| Red Hat | Red Hat build of Keycloak 26.6 | 26.6-6 ~ * | cpe:/a:redhat:build_keycloak:26.6::el9 | |
| Red Hat | Red Hat build of Keycloak 26.6.3 | - | cpe:/a:redhat:build_keycloak:26.6::el9 |
II. Public POCs for CVE-2026-9791
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-9791
请登录查看更多情报信息。
Vendor Advisories for CVE-2026-9791 (3)
- 🔗 2482458 – (CVE-2026-9791) CVE-2026-9791 keycloak-rhel9: Organization Data Leak After Feature Disabled in Keycloak Read full article issue-trackingx_refsource_REDHAT
Other References for CVE-2026-9791 (1)
Same Patch Batch · Red Hat · 2026-05-28 · 14 CVEs total
| CVE-2026-4408 | 9.0 CRITICAL | Samba: remote code execution in samr |
| CVE-2026-9804 | 7.7 HIGH | Kubevirt: kubevirt: vmexport directory symlink escape enables exporter pod file read |
| CVE-2026-9795 | 7.3 HIGH | Keycloak: keycloak: privilege escalation via improper scope mapping enforcement |
| CVE-2026-44604 | 7.0 HIGH | Rpm: command injection in rpmuncompress dountar() via unescaped archive top-level director |
| CVE-2026-9802 | 6.8 MEDIUM | Keycloak: keycloak: unauthorized account access via replayed refresh tokens after cluster |
| CVE-2026-9792 | 6.5 MEDIUM | Keycloak: keycloak: security restriction bypass allows unauthorized ropc token acquisition |
| CVE-2026-9796 | 6.5 MEDIUM | Keycloak: keycloak: privilege escalation via time-of-check to time-of-use (toctou) vulnera |
| CVE-2026-9793 | 5.9 MEDIUM | Keycloak: keycloak: security policy bypass in jwe-encrypted request object processing |
| CVE-2026-9794 | 5.3 MEDIUM | Keycloak: keycloak: information disclosure via saml ecp endpoint |
| CVE-2026-9803 | 5.3 MEDIUM | Keycloak: keycloak: denial of service via malformed authorization header |
| CVE-2026-9801 | 4.9 MEDIUM | Keycloak: keycloak: denial of service via malformed ldap password policy response |
| CVE-2026-9798 | 4.3 MEDIUM | Keycloak: keycloak: brute-force protection bypass in ciba flow |
| CVE-2026-10028 | 4.3 MEDIUM | Glib-networking: infinite loop in glib-networking gnutls backend allows remote denial of s |
IV. Related Vulnerabilities
Same product: Red Hat build of Keycloak 26.6
- CVE-2026-9088
Keycloak: keycloak: information disclosure due to user profi - CVE-2026-9803
Keycloak: keycloak: denial of service via malformed authoriz - CVE-2026-9802
Keycloak: keycloak: unauthorized account access via replayed - CVE-2026-9801
Keycloak: keycloak: denial of service via malformed ldap pas - CVE-2026-9794
Keycloak: keycloak: information disclosure via saml ecp endp
Same vendor: Red Hat
- CVE-2026-11791
389-ds-base: 389-ds-base: use-after-free in schema reload vi - CVE-2026-12505
Cifs-utils: local privilege escalation via forged cifs.spneg - CVE-2026-12515
Katello: missing repository authorization in content_uploads - CVE-2026-12528
389-ds-base: 389-ds-base: heap-buffer-overflows in __aclp__n - CVE-2026-12491
Vllm: vllm: image exif rotation & png trns transparency not
Same weakness: CWE-863
- CVE-2026-56074
PraisonAI - Tool Approval Cache Bypass via Coarse-Grained Ca - CVE-2026-56075
PraisonAI - Arbitrary Shell Command Execution via Hardcoded - CVE-2026-10741
Nexus Repository Manager - Incorrect Authorization allows cr - CVE-2026-54803
WordPress SMS Alert Order Notifications plugin <= 3.9.4 - Pr - CVE-2026-32967
Apache DolphinScheduler: The `/v2` experimental interface la
V. Comments for CVE-2026-9791
No comments yet