CVE-2026-9796 MEDIUM

CVE-2026-9796: Keycloak: keycloak: privilege escalation via time-of-check to time-of-use (toctou) vulnerability

Vendor Red Hat
Product Red Hat Build of Keycloak
Weakness CWE-367
Published May 28, 2026
Last update May 28, 2026

CVSS base score

6.5/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

What the vulnerability does

01Description

A flaw was found in Keycloak. An authenticated administrator with the `manage-clients` role can exploit a Time-of-check to time-of-use (TOCTOU) vulnerability in the name-based admin role checks. This allows the attacker to escalate their privileges to `realm-admin` for all users within the realm, granting them extensive control over the system. The composite role relationship persists even after the attacker's own permissions are revoked and across system reboots.

Key dates

02Disclosure timeline

May 28, 2026 CVE published
May 28, 2026 Record updated