CVE-2026-9791
MediumCVSS 4.3Exploitation Probability (EPSS)
Low risk12th percentile - higher than 12% of all known CVEs
Summary
A flaw was found in Keycloak where an authenticated user with existing organization membership can disclose organization metadata in OIDC tokens or via the account API, even after the administrator has disabled the Organizations feature, potentially leading to incorrect authorization decisions by resource servers.
Risk Assessment
The risk is that administrators may incorrectly assume that disabling the Organizations feature completely removes organization information from tokens, which could result in improper access grants to resources.
Recommendation
It is recommended to immediately update Keycloak to a version that fixes this vulnerability and to review OIDC scope and account API configurations for unintended disclosure of organization data.
Original NVD description (English source)
A flaw was found in Keycloak. An authenticated user with existing organization membership can exploit this flaw by accessing user-facing APIs, such as the account API or by requesting an OpenID Connect (OIDC) token with the 'organization' scope. This allows organization metadata to be disclosed in tokens, even after an administrator has explicitly disabled the Organizations feature, potentially leading to incorrect authorization decisions by resource servers.

