Main Vulnerability Database Vulnerabilities #VU135697

Authorization bypass through user-controlled key in Keycloak - CVE-2026-9099

Published: June 29, 2026

Vulnerability identifier: #VU135697

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-9099

CWE-ID: CWE-639

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Keycloak

Affected software:
Keycloak

Detailed vulnerability description

The vulnerability allows a remote user to escalate privileges and compromise administrative accounts.

The vulnerability exists due to improper access control in the GroupResource.addChild() endpoint within the Admin REST API when handling group reparenting requests. A remote privileged user can reparent a highly privileged group under a managed low-privilege group to escalate privileges and compromise administrative accounts.

Only instances with Fine-Grained Admin Permissions v2 enabled are vulnerable to the described privilege inheritance abuse.

How to mitigate CVE-2026-9099

Install security update from vendor's website.

Sources

https://github.com/keycloak/keycloak/security/advisories/GHSA-2qxf-v3g6-73v9

Authorization bypass through user-controlled key in Keycloak - CVE-2026-9099

Detailed vulnerability description

How to mitigate CVE-2026-9099

Sources

Please verify you're human