CVE-2026-9088
2.7 LOWA flaw was found in org.keycloak.services
Published: 2026-06-05 · Last updated: 2026-06-10
Severity and scoring
- CVSS
- 2.7 LOW
- Vector
- CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
- CWE
- CWE-1220
Description
A flaw was found in org.keycloak.services. An administrator with delegated access to read group memberships and users can bypass user profile permissions by accessing the group members endpoint. This allows the administrator to view user attributes that are explicitly configured to be denied, leading to information disclosure.
Source: NVD
References
Related CVEs
Same CWE
- CVE-2021-46747 — Insufficient granularity of access control in ASP (AMD Secure Processor) may allow an attacker with an untrusted user space application t...
- CVE-2026-37981 — A flaw was found in Keycloak (4.3 MEDIUM)
- CVE-2026-40365 — Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network (8.8 HIGH)
- CVE-2026-35436 — Use after free in Microsoft Office allows an authorized attacker to elevate privileges locally (8.8 HIGH)
- CVE-2022-36110 — Netmaker makes networks with WireGuard (8.8 HIGH)