CVE-2026-2366
Keycloak: keycloak: information disclosure via authorization bypass in admin api
Vexday Risk Score
8Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 3.1EPSS 0.3%KEV nãoPoC —Nuclei —Metasploit —Patch referenciado
Lifecycle
12 Mar 2026Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
A flaw was found in Keycloak. An authorization bypass vulnerability in the Keycloak Admin API allows any authenticated user, even those without administrative privileges, to enumerate the organization memberships of other users. This information disclosure occurs if the attacker knows the victim's unique identifier (UUID) and the Organizations feature is enabled.
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
Affected products
Red Hat · Red Hat build of Keycloak 26.4Red Hat · Red Hat build of Keycloak 26.4.11Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →