QSearchQSearch

CVE-2026-9791

4.3 MEDIUM

A flaw was found in Keycloak

Published: 2026-05-28 · Last updated: 2026-06-10

Severity and scoring

CVSS
4.3 MEDIUM
Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CWE
CWE-863

Affected products

VendorProduct
redhatbuild_of_keycloak

Description

A flaw was found in Keycloak. An authenticated user with existing organization membership can exploit this flaw by accessing user-facing APIs, such as the account API or by requesting an OpenID Connect (OIDC) token with the 'organization' scope. This allows organization metadata to be disclosed in tokens, even after an administrator has explicitly disabled the Organizations feature, potentially leading to incorrect authorization decisions by resource servers.

Source: NVD

References

Related CVEs

Same vendor

  • CVE-2026-11793 A stack buffer overflow flaw was found in 389 Directory Server (4.9 MEDIUM)
  • CVE-2026-11790 A flaw was found in 389 Directory Server (4.9 MEDIUM)
  • CVE-2026-11789 A flaw was found in 389 Directory Server (4.9 MEDIUM)
  • CVE-2026-11788 A flaw was found in 389 Directory Server (5.9 MEDIUM)
  • CVE-2026-11787 A flaw was found in 389 Directory Server (5.0 MEDIUM)

Same CWE

  • CVE-2026-47777 Mastodon is a free, open-source social network server based on ActivityPub (7.5 HIGH)
  • CVE-2016-20075 WordPress Ultimate Product Catalog 3.8.6 contains an arbitrary file upload vulnerability that allows authenticated users with contributor... (8.8 HIGH)
  • CVE-2026-34023 The Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014, contains an incorrect authorization vulnerability in the WebSocket...
  • CVE-2026-2470 The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to Incorrect Authorization in all versions... (4.3 MEDIUM)
  • CVE-2026-54398 An authorization flaw in MISP’s object add/edit handling allowed an authenticated user with object editing permissions to assign a MISP o...