{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-9099","assignerOrgId":"53f830b8-0a3f-465b-8143-3b8a9948e749","state":"PUBLISHED","assignerShortName":"redhat","dateReserved":"2026-05-20T15:12:25.740Z","datePublished":"2026-06-25T16:16:43.604Z","dateUpdated":"2026-06-30T12:10:50.907Z"},"containers":{"cna":{"title":"Keycloak: group-admin escalation to realm-admin","metrics":[{"other":{"content":{"value":"Important","namespace":"https://access.redhat.com/security/updates/classification/"},"type":"Red Hat severity rating"}},{"cvssV3_1":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":7.7,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"HIGH","scope":"CHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:N","version":"3.1"},"format":"CVSS"}],"descriptions":[{"lang":"en","value":"A flaw was found in Keycloak. A missing authorization check in the GroupResource.addChild() endpoint within the Admin REST API allows an authenticated user with limited administrative privileges to reparent any existing group. When Fine-Grained Admin Permissions v2 (FGAPv2) is enabled, an attacker with management rights over a single low-privilege group can reparent a highly privileged group (such as one possessing the realm-admin role) under their managed group.\n\nBecause group permissions follow a hierarchical structure, this action unauthorizedly grants the attacker management and password-reset capabilities over the members of the targeted privileged group. An attacker can exploit this to reset an administrator's password, compromise the account, and achieve a full realm takeover, leading to a complete compromise of confidentiality, integrity, and availability."}],"affected":[{"vendor":"Red Hat","product":"Red Hat build of Keycloak 26.4","collectionURL":"https://catalog.redhat.com/software/containers/","packageName":"rhbk/keycloak-operator-bundle","defaultStatus":"affected","versions":[{"version":"26.4.13-1","lessThan":"*","versionType":"rpm","status":"unaffected"}],"cpes":["cpe:/a:redhat:build_keycloak:26.4::el9"]},{"vendor":"Red Hat","product":"Red Hat build of Keycloak 26.4","collectionURL":"https://catalog.redhat.com/software/containers/","packageName":"rhbk/keycloak-rhel9","defaultStatus":"affected","versions":[{"version":"26.4-19","lessThan":"*","versionType":"rpm","status":"unaffected"}],"cpes":["cpe:/a:redhat:build_keycloak:26.4::el9"]},{"vendor":"Red Hat","product":"Red Hat build of Keycloak 26.4","collectionURL":"https://catalog.redhat.com/software/containers/","packageName":"rhbk/keycloak-rhel9-operator","defaultStatus":"affected","versions":[{"version":"26.4-19","lessThan":"*","versionType":"rpm","status":"unaffected"}],"cpes":["cpe:/a:redhat:build_keycloak:26.4::el9"]},{"vendor":"Red Hat","product":"Red Hat build of Keycloak 26.4.13","collectionURL":"https://access.redhat.com/downloads/content/package-browser/","defaultStatus":"unaffected","packageName":"rhbk/keycloak-rhel9","cpes":["cpe:/a:redhat:build_keycloak:26.4::el9"]},{"vendor":"Red Hat","product":"Red Hat build of Keycloak 26.6","collectionURL":"https://catalog.redhat.com/software/containers/","packageName":"rhbk/keycloak-operator-bundle","defaultStatus":"affected","versions":[{"version":"26.6.4-2","lessThan":"*","versionType":"rpm","status":"unaffected"}],"cpes":["cpe:/a:redhat:build_keycloak:26.6::el9"]},{"vendor":"Red Hat","product":"Red Hat build of Keycloak 26.6","collectionURL":"https://catalog.redhat.com/software/containers/","packageName":"rhbk/keycloak-rhel9","defaultStatus":"affected","versions":[{"version":"26.6-8","lessThan":"*","versionType":"rpm","status":"unaffected"}],"cpes":["cpe:/a:redhat:build_keycloak:26.6::el9"]},{"vendor":"Red Hat","product":"Red Hat build of Keycloak 26.6","collectionURL":"https://catalog.redhat.com/software/containers/","packageName":"rhbk/keycloak-rhel9-operator","defaultStatus":"affected","versions":[{"version":"26.6-8","lessThan":"*","versionType":"rpm","status":"unaffected"}],"cpes":["cpe:/a:redhat:build_keycloak:26.6::el9"]},{"vendor":"Red Hat","product":"Red Hat build of Keycloak 26.6.4","collectionURL":"https://access.redhat.com/downloads/content/package-browser/","defaultStatus":"unaffected","packageName":"rhbk/keycloak-rhel9","cpes":["cpe:/a:redhat:build_keycloak:26.6::el9"]}],"references":[{"url":"https://access.redhat.com/errata/RHSA-2026:30049","name":"RHSA-2026:30049","tags":["vendor-advisory","x_refsource_REDHAT"]},{"url":"https://access.redhat.com/errata/RHSA-2026:30050","name":"RHSA-2026:30050","tags":["vendor-advisory","x_refsource_REDHAT"]},{"url":"https://access.redhat.com/errata/RHSA-2026:30083","name":"RHSA-2026:30083","tags":["vendor-advisory","x_refsource_REDHAT"]},{"url":"https://access.redhat.com/errata/RHSA-2026:30084","name":"RHSA-2026:30084","tags":["vendor-advisory","x_refsource_REDHAT"]},{"url":"https://access.redhat.com/security/cve/CVE-2026-9099","tags":["vdb-entry","x_refsource_REDHAT"]},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2480182","name":"RHBZ#2480182","tags":["issue-tracking","x_refsource_REDHAT"]}],"datePublic":"2026-06-25T15:58:51.884Z","problemTypes":[{"descriptions":[{"cweId":"CWE-639","description":"Authorization Bypass Through User-Controlled Key","lang":"en","type":"CWE"}]}],"x_redhatCweChain":"CWE-639: Authorization Bypass Through User-Controlled Key","workarounds":[{"lang":"en","value":"To mitigate this issue, restrict network access to the Keycloak Admin REST API to only trusted networks or localhost. This limits the attack surface by preventing unauthorized access to the API endpoints required for exploitation. Consult your network security documentation for specific firewall or network access control configurations. This may impact remote administration capabilities."}],"timeline":[{"lang":"en","time":"2026-05-20T15:05:54.381Z","value":"Reported to Red Hat."},{"lang":"en","time":"2026-06-25T15:58:51.884Z","value":"Made public."}],"providerMetadata":{"orgId":"53f830b8-0a3f-465b-8143-3b8a9948e749","shortName":"redhat","dateUpdated":"2026-06-26T06:26:57.094Z"},"x_generator":{"engine":"cvelib 1.8.0"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-06-25T20:25:31.782558Z","id":"CVE-2026-9099","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-06-25T20:26:06.600Z"}},{"affected":[{"cpes":["cpe:/a:redhat:build_keycloak:26.4::el9"],"defaultStatus":"affected","product":"Red Hat build of Keycloak 26.4","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:build_keycloak:26.6::el9"],"defaultStatus":"affected","product":"Red Hat build of Keycloak 26.6","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:build_keycloak:26.4::el9"],"defaultStatus":"affected","product":"Red Hat build of Keycloak 26.4.13","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:build_keycloak:26.6::el9"],"defaultStatus":"affected","product":"Red Hat build of Keycloak 26.6.4","vendor":"Red Hat"}],"datePublic":"2026-06-25T15:58:51.884Z","descriptions":[{"lang":"en","value":"A flaw was found in Keycloak. A missing authorization check in the GroupResource.addChild() endpoint within the Admin REST API allows an authenticated user with limited administrative privileges to reparent any existing group. When Fine-Grained Admin Permissions v2 (FGAPv2) is enabled, an attacker with management rights over a single low-privilege group can reparent a highly privileged group (such as one possessing the realm-admin role) under their managed group.\n\nBecause group permissions follow a hierarchical structure, this action unauthorizedly grants the attacker management and password-reset capabilities over the members of the targeted privileged group. An attacker can exploit this to reset an administrator's password, compromise the account, and achieve a full realm takeover, leading to a complete compromise of confidentiality, integrity, and availability."}],"metrics":[{"other":{"content":{"namespace":"https://access.redhat.com/security/updates/classification/","value":"Important"},"type":"Red Hat severity rating"}},{"cvssV3_1":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":7.7,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"HIGH","scope":"CHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:N","version":"3.1"},"format":"CVSS"}],"problemTypes":[{"descriptions":[{"cweId":"CWE-639","description":"Authorization Bypass Through User-Controlled Key","lang":"en","type":"CWE"}]}],"references":[{"tags":["vdb-entry","x_refsource_REDHAT"],"url":"https://access.redhat.com/security/cve/CVE-2026-9099"},{"name":"RHBZ#2480182","tags":["issue-tracking","x_refsource_REDHAT"],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2480182"},{"tags":["x_sadp-csaf-vex"],"url":"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-9099.json"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:30050"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:30084"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:30049"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:30083"}],"solutions":[{"lang":"en","value":"RHSA-2026:30050: Red Hat build of Keycloak 26.4"},{"lang":"en","value":"RHSA-2026:30084: Red Hat build of Keycloak 26.6"},{"lang":"en","value":"RHSA-2026:30049: Red Hat build of Keycloak 26.4.13"},{"lang":"en","value":"RHSA-2026:30083: Red Hat build of Keycloak 26.6.4"}],"timeline":[{"lang":"en","time":"2026-05-20T15:05:54.381Z","value":"Reported to Red Hat."},{"lang":"en","time":"2026-06-25T15:58:51.884Z","value":"Made public."}],"title":"keycloak: Group-Admin Escalation to Realm-Admin","workarounds":[{"lang":"en","value":"To mitigate this issue, restrict network access to the Keycloak Admin REST API to only trusted networks or localhost. This limits the attack surface by preventing unauthorized access to the API endpoints required for exploitation. Consult your network security documentation for specific firewall or network access control configurations. This may impact remote administration capabilities."}],"x_adpType":"supplier","x_generator":{"engine":"sadp-cli 1.0.0"},"providerMetadata":{"orgId":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","shortName":"redhat-SADP","dateUpdated":"2026-06-30T12:10:50.907Z"}}]}}