CVE-2026-9796

Keycloak: keycloak: privilege escalation via time-of-check to time-of-use (toctou) vulnerability

CVSS 6.5 MEDIUMEPSS 0.2%CWE-367

Vexday Risk Score

13Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 6.5EPSS 0.2%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

28 May 2026Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

A flaw was found in Keycloak. An authenticated administrator with the `manage-clients` role can exploit a Time-of-check to time-of-use (TOCTOU) vulnerability in the name-based admin role checks. This allows the attacker to escalate their privileges to `realm-admin` for all users within the realm, granting them extensive control over the system. The composite role relationship persists even after the attacker's own permissions are revoked and across system reboots.

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

Affected products

Red Hat · Red Hat Build of Keycloak

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://access.redhat.com/security/cve/CVE-2026-9796 https://bugzilla.redhat.com/show_bug.cgi?id=2482464