CVE-2026-2366 LOW

CVE-2026-2366: Keycloak: keycloak: information disclosure via authorization bypass in admin api

Vendor Red Hat
Product Red Hat build of Keycloak 26.4.11
Weakness CWE-639 · IDOR
Published March 12, 2026
Last update April 2, 2026

CVSS base score

3.1/10
Attack vector Network
Attack complexity High
Privileges required Low
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

A flaw was found in Keycloak. An authorization bypass vulnerability in the Keycloak Admin API allows any authenticated user, even those without administrative privileges, to enumerate the organization memberships of other users. This information disclosure occurs if the attacker knows the victim's unique identifier (UUID) and the Organizations feature is enabled.

Key dates

02Disclosure timeline

March 12, 2026 CVE published
April 2, 2026 Record updated