Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-9796

CVE-2026-9796: Keycloak Privilege Escalation Vulnerability

CVE-2026-9796 is a privilege escalation flaw in Keycloak that allows authenticated administrators to exploit a TOCTOU vulnerability and gain realm-admin privileges. This article covers technical details, impact, and mitigation.

Published:

CVE-2026-9796 Overview

A Time-of-Check to Time-of-Use (TOCTOU) vulnerability exists in Keycloak's name-based admin role checks. An authenticated administrator holding the manage-clients role can exploit the race condition to escalate privileges to realm-admin across all users within the realm. The escalation grants extensive control over the identity management system. The composite role relationship persists after the attacker's own permissions are revoked and survives system reboots, creating a durable backdoor.

Critical Impact

A low-privilege realm administrator can permanently escalate to realm-admin, gaining control over every user in the realm.

Affected Products

  • Red Hat Keycloak (identity and access management server)
  • Red Hat Build of Keycloak
  • Downstream distributions incorporating affected Keycloak versions

Discovery Timeline

  • 2026-05-28 - CVE CVE-2026-9796 published to NVD
  • 2026-05-28 - Last updated in NVD database

Technical Details for CVE-2026-9796

Vulnerability Analysis

The flaw resides in Keycloak's name-based admin role validation logic. Keycloak validates admin roles using string-based name lookups rather than immutable identifiers. Between the validation check and the role assignment operation, an attacker can manipulate role state to bypass the intended authorization boundary.

The vulnerability is classified under [CWE-367] Time-of-Check Time-of-Use Race Condition. An authenticated administrator with the manage-clients role can trigger the race window through concurrent API requests. Successful exploitation creates a composite role relationship that elevates the attacker to realm-admin for the entire realm.

The persistence characteristic distinguishes this vulnerability from transient privilege issues. The composite role binding remains in the database even after revoking the attacker's original manage-clients role. Restarting the Keycloak instance does not clear the unauthorized relationship.

Root Cause

Keycloak performs admin role validation using mutable string names instead of stable role identifiers. The validation and assignment operations are not atomic, allowing concurrent operations to invalidate the security check between check and use. This breaks the assumption that the validated role state matches the state at assignment time.

Attack Vector

Exploitation requires network access to the Keycloak admin API and prior authentication with the manage-clients role. The attacker issues parallel requests that create, rename, or modify client roles to manipulate the name-based check. Once the race succeeds, the composite role linkage to realm-admin is written to the persistent store. The attacker then controls all users, clients, and authentication flows within the realm.

No verified public exploit code is available. Refer to the Red Hat CVE-2026-9796 Advisory and Red Hat Bug Report #2482464 for vendor technical details.

Detection Methods for CVE-2026-9796

Indicators of Compromise

  • Unexpected composite role relationships linking non-administrative roles to realm-admin in the Keycloak database.
  • Audit log entries showing rapid, concurrent role creation or modification requests from accounts holding manage-clients.
  • Users gaining administrative capabilities without a corresponding direct role grant event.

Detection Strategies

  • Query the Keycloak KEYCLOAK_ROLE and COMPOSITE_ROLE tables for unauthorized composite mappings to realm-admin.
  • Enable and review Keycloak admin event logging for role assignment operations originating from manage-clients accounts.
  • Correlate administrative API calls with subsequent privilege changes to identify race condition exploitation patterns.

Monitoring Recommendations

  • Alert on any modification to the realm-admin composite role membership outside of approved change windows.
  • Monitor for high-frequency concurrent calls to /admin/realms/{realm}/clients/{id}/roles endpoints.
  • Track changes in effective permissions for all realm users on a recurring schedule to detect persistent escalations.

How to Mitigate CVE-2026-9796

Immediate Actions Required

  • Apply the patched Keycloak release referenced in the Red Hat CVE-2026-9796 Advisory as soon as it is available for your distribution.
  • Audit all accounts holding the manage-clients role and revoke the role from any account that does not require it.
  • Inspect composite role mappings for unauthorized linkages to realm-admin and remove any that cannot be attributed to a legitimate change.

Patch Information

Red Hat tracks remediation under Red Hat Bug Report #2482464. Consult the vendor advisory for fixed version numbers applicable to your Keycloak or Red Hat Build of Keycloak deployment. Apply the patch to all realms and verify that role validation now uses immutable identifiers rather than mutable names.

Workarounds

  • Restrict the manage-clients role to a minimal set of trusted administrators until patches are applied.
  • Place the Keycloak admin API behind network controls that limit access to known administrative workstations.
  • Increase audit logging verbosity for role and client management operations to surface exploitation attempts quickly.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne