CVE-2026-9791 MEDIUM

CVE-2026-9791: Keycloak-rhel9: organization data leak after feature disabled in keycloak

Vendor Red Hat
Product Red Hat build of Keycloak 26.6.3
Weakness CWE-863 · Incorrect authorization
Published May 28, 2026
Last update June 10, 2026

CVSS base score

4.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

A flaw was found in Keycloak. An authenticated user with existing organization membership can exploit this flaw by accessing user-facing APIs, such as the account API or by requesting an OpenID Connect (OIDC) token with the 'organization' scope. This allows organization metadata to be disclosed in tokens, even after an administrator has explicitly disabled the Organizations feature, potentially leading to incorrect authorization decisions by resource servers.

Key dates

02Disclosure timeline

May 28, 2026 CVE published
June 10, 2026 Record updated