CVE-2026-9088

LOW(2.7)

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N

Risk Signal Score7/100 — NIEDRIG

EPSS-Score

Exploit-Wahrscheinlichkeit (30 Tage)

CVSS Score

2.7

Technische Schwere

Beschreibung

A flaw was found in org.keycloak.services. An administrator with delegated access to read group memberships and users can bypass user profile permissions by accessing the group members endpoint. This allows the administrator to view user attributes that are explicitly configured to be denied, leading to information disclosure.

Referenzen

https://access.redhat.com/errata/RHSA-2026:25097
https://access.redhat.com/errata/RHSA-2026:25098
https://access.redhat.com/security/cve/CVE-2026-9088
https://bugzilla.redhat.com/show_bug.cgi?id=2480179