CVE Catalog

CVE-2026-9083

MediumCVSS 4.9
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.50%

39th percentile — higher than 39% of all known CVEs

Summary

A flaw was found in Keycloak where a realm administrator with the 'manage-realm' role can submit an arbitrary filesystem path as a keystore parameter when creating a key provider component. This allows probing of arbitrary filesystem paths to determine which files exist and are readable by the Keycloak process.

Risk Assessment

The risk is information disclosure about existing files on the system, which could help an attacker identify high-value targets for follow-on attacks, such as configuration files or credentials.

Recommendation

It is recommended to immediately update Keycloak to a version that fixes this vulnerability and restrict the 'manage-realm' role to trusted administrators only.

Original NVD description (English source)

A flaw was found in Keycloak. A realm administrator with the "manage-realm" role can exploit this vulnerability by submitting an arbitrary filesystem path as a keystore parameter when creating a key provider component. This allows the administrator to probe arbitrary filesystem paths, determining which files exist and are readable by the Keycloak process. This information disclosure could be used to identify high-value targets for follow-on attacks.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS