CVE-2026-9088 Overview
CVE-2026-9088 is an information disclosure vulnerability in the org.keycloak.services component of Keycloak. An administrator with delegated permissions to read group memberships and users can bypass user profile permissions by querying the group members endpoint. The endpoint returns user attributes that have been explicitly configured as denied under the user profile permission model. This allows a privileged but restricted administrator to read attributes they should not see, resulting in unauthorized disclosure of user data. Red Hat tracks this issue under bug report 2480179 and has issued advisories RHSA-2026:25097 and RHSA-2026:25098.
Critical Impact
A delegated administrator can read user profile attributes explicitly denied by policy, undermining attribute-level access controls in Keycloak identity deployments.
Affected Products
- Keycloak (org.keycloak.services component)
- Red Hat Build of Keycloak (per RHSA-2026:25097)
- Red Hat Single Sign-On / related distributions (per RHSA-2026:25098)
Discovery Timeline
- 2026-06-05 - CVE-2026-9088 published to the National Vulnerability Database
- 2026-06-10 - Last updated in NVD database
Technical Details for CVE-2026-9088
Vulnerability Analysis
The flaw resides in how Keycloak's group members endpoint serializes user objects. Keycloak supports a user profile configuration where individual attributes can be marked as denied for specific roles or administrative scopes. When an administrator queries an individual user via the standard user endpoint, the user profile permission layer filters denied attributes from the response. However, the group members endpoint returns user representations without enforcing the same user profile permission checks. An administrator who holds delegated rights to view-users and query-groups (or equivalent fine-grained admin permissions) can iterate group memberships and harvest user attributes the configured policy was meant to hide. The weakness is categorized as [CWE-1220] Insufficient Granularity of Access Control. The result is a confidentiality-only impact with no integrity or availability consequence, but it directly defeats an administrator's intent to compartmentalize sensitive attributes such as personal identifiers, contact data, or custom claims.
Root Cause
The group members endpoint constructs user representations through a code path that does not invoke the user profile attribute filter applied by the per-user endpoint. The permission model is enforced at the wrong layer, granting access to the collection while skipping attribute-level redaction.
Attack Vector
Exploitation requires an authenticated administrator account with high privileges already delegated for reading users and groups. The attacker issues an HTTP GET request to the admin REST API group members endpoint for any group containing the target users. The response includes attributes the user profile configuration marks as denied. No user interaction is required, and the request is performed over the network against the Keycloak admin API.
No public proof-of-concept code is referenced in the advisory. Administrators should consult the Red Hat CVE Analysis CVE-2026-9088 and Red Hat Bug Report #2480179 for vendor-supplied technical context.
Detection Methods for CVE-2026-9088
Indicators of Compromise
- Repeated administrative GET requests to /admin/realms/{realm}/groups/{id}/members originating from a single delegated administrator account.
- Admin API responses containing user attribute keys that match fields marked as denied in the realm's user profile configuration.
- Spikes in group enumeration calls (/admin/realms/{realm}/groups) followed by sequential member listings against multiple groups.
Detection Strategies
- Enable Keycloak admin event logging and forward events of type ACTION with resourceType=GROUP_MEMBERSHIP to a central log platform for review.
- Correlate the identity of the calling administrator with the attribute-level access policies defined in the realm to flag mismatches.
- Baseline normal admin API usage per delegated account and alert on volumetric outliers against the group members endpoint.
Monitoring Recommendations
- Forward Keycloak admin and authentication events to a SIEM and retain them for incident review.
- Audit fine-grained admin role assignments quarterly, especially view-users, query-groups, and manage-users.
- Monitor egress from accounts that hold delegated admin scope for bulk JSON responses that could indicate attribute harvesting.
How to Mitigate CVE-2026-9088
Immediate Actions Required
- Apply the fixes referenced in Red Hat Security Advisory RHSA-2026:25097 and Red Hat Security Advisory RHSA-2026:25098 to all Keycloak instances.
- Review every delegated administrator role and remove view-users or query-groups permissions from accounts that do not require them.
- Audit recent admin event logs for unexpected calls to the group members endpoint by restricted administrators.
Patch Information
Red Hat has published fixed packages through advisories RHSA-2026:25097 and RHSA-2026:25098. Operators of upstream Keycloak should upgrade to the corresponding fixed release that incorporates the user profile permission check on the group members endpoint. Refer to the Red Hat CVE Analysis CVE-2026-9088 page for the authoritative list of affected and fixed package versions.
Workarounds
- Restrict the use of the group members admin endpoint by removing the query-groups and view-users fine-grained permissions from delegated administrators until the patch is applied.
- Remove sensitive attributes from user profiles entirely, or store them outside of Keycloak, if the affected version cannot be upgraded immediately.
- Place the Keycloak admin API behind a reverse proxy that enforces an allowlist of trusted source networks for administrative calls.
# Example: list fine-grained admin role mappings for review
kcadm.sh get users -r master -q briefRepresentation=false \
--fields id,username,attributes
# Remove the query-groups role from a delegated admin account
kcadm.sh remove-roles -r master --uusername delegated-admin \
--cclientid realm-management --rolename query-groups
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
