CVE-2026-9088
LowCVSS 2.7Exploitation Probability (EPSS)
Low risk27th percentile — higher than 27% of all known CVEs
Summary
A flaw was found in Keycloak where an administrator with delegated access to read group memberships and users can bypass user profile permissions by accessing the group members endpoint, allowing viewing of user attributes explicitly configured as denied, leading to information disclosure.
Risk Assessment
The risk involves unauthorized disclosure of sensitive user attributes, potentially compromising data confidentiality and access control policies in the organization.
Recommendation
It is recommended to immediately update Keycloak to a version that fixes this vulnerability and review the configuration of delegated access permissions for administrators.
Original NVD description (English source)
A flaw was found in org.keycloak.services. An administrator with delegated access to read group memberships and users can bypass user profile permissions by accessing the group members endpoint. This allows the administrator to view user attributes that are explicitly configured to be denied, leading to information disclosure.

