← back
CVE-2026-2366

Keycloak: keycloak: information disclosure via authorization bypass in admin api

CVSS 3.1 LOWEPSS 0.3%CWE-639
Vexday Risk Score
8Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 3.1EPSS 0.3%KEV nãoPoC Nuclei Metasploit Patch referenciado
Lifecycle
12 Mar 2026Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
A flaw was found in Keycloak. An authorization bypass vulnerability in the Keycloak Admin API allows any authenticated user, even those without administrative privileges, to enumerate the organization memberships of other users. This information disclosure occurs if the attacker knows the victim's unique identifier (UUID) and the Organizations feature is enabled.
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →