CVE-2026-2366 Overview
A flaw was found in Keycloak. An authorization bypass vulnerability in the Keycloak Admin API allows any authenticated user, even those without administrative privileges, to enumerate the organization memberships of other users. This information disclosure occurs if the attacker knows the victim's unique identifier (UUID) and the Organizations feature is enabled.
Critical Impact
Authenticated users can enumerate organization memberships of other users through the Keycloak Admin API, bypassing intended authorization controls and exposing sensitive organizational structure information.
Affected Products
- Keycloak (versions with Organizations feature enabled)
Discovery Timeline
- 2026-03-12 - CVE CVE-2026-2366 published to NVD
- 2026-03-12 - Last updated in NVD database
Technical Details for CVE-2026-2366
Vulnerability Analysis
This vulnerability is classified as CWE-639: Authorization Bypass Through User-Controlled Key. The flaw resides in the Keycloak Admin API's authorization mechanism, which fails to properly validate whether the requesting user has sufficient privileges to access organization membership information for other users.
When the Organizations feature is enabled in Keycloak, the Admin API exposes endpoints that return user organization membership data. The vulnerability allows any authenticated user to query these endpoints using another user's UUID, regardless of whether they have administrative privileges. This represents a horizontal privilege escalation scenario where normal users can access data they should not be authorized to view.
The attack requires the attacker to possess a valid authentication token and knowledge of the target user's UUID. While UUIDs are not sequential, they may be obtained through other application interfaces, logging, or social engineering.
Root Cause
The root cause is improper authorization enforcement (CWE-639) in the Keycloak Admin API. The API endpoints handling organization membership queries verify that the requester is authenticated but fail to validate whether the authenticated user has the necessary administrative role or permissions to access organization membership data for users other than themselves.
Attack Vector
The attack is conducted over the network and requires low privileges (any authenticated user). The attacker must have:
- Valid authentication credentials for the Keycloak instance
- Knowledge of the target user's UUID
- The Organizations feature must be enabled on the target Keycloak deployment
Once these conditions are met, the attacker can query the Admin API to enumerate which organizations a specific user belongs to, potentially revealing sensitive information about organizational structure and user affiliations.
Detection Methods for CVE-2026-2366
Indicators of Compromise
- Unusual API requests to organization membership endpoints from non-administrative user accounts
- Repeated queries to the Admin API targeting different user UUIDs from the same authenticated session
- Access patterns showing enumeration behavior against organization-related API endpoints
Detection Strategies
- Monitor Keycloak Admin API access logs for requests to organization membership endpoints from users without admin roles
- Implement alerting for high-volume API requests targeting user organization data
- Review audit logs for cross-user queries where the requesting user attempts to access another user's organization memberships
Monitoring Recommendations
- Enable detailed audit logging for all Keycloak Admin API operations
- Configure SIEM rules to detect anomalous access patterns to organization membership endpoints
- Implement rate limiting on Admin API endpoints to slow potential enumeration attempts
- Establish baseline metrics for normal organization membership query patterns
How to Mitigate CVE-2026-2366
Immediate Actions Required
- Review Keycloak Admin API access controls and ensure proper role-based authorization is enforced
- Audit existing user permissions to identify accounts with unnecessary Admin API access
- Consider temporarily restricting access to organization membership endpoints until patching is complete
- Monitor for exploitation attempts using the detection strategies outlined above
Patch Information
Refer to the Red Hat CVE-2026-2366 Advisory for official patch information and updated Keycloak versions that address this vulnerability. Additional technical details are available in Red Hat Bug Report #2439081.
Workarounds
- Disable the Organizations feature if not required for business operations
- Implement network-level access controls to restrict Admin API access to trusted sources only
- Apply additional authentication requirements for Admin API endpoints using a reverse proxy
- Audit and revoke unnecessary user accounts that have access to the Keycloak instance
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
