{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-9791","assignerOrgId":"53f830b8-0a3f-465b-8143-3b8a9948e749","state":"PUBLISHED","assignerShortName":"redhat","dateReserved":"2026-05-28T03:07:29.305Z","datePublished":"2026-05-28T03:27:08.241Z","dateUpdated":"2026-06-10T21:21:55.907Z"},"containers":{"cna":{"title":"Keycloak-rhel9: organization data leak after feature disabled in keycloak","metrics":[{"other":{"content":{"value":"Moderate","namespace":"https://access.redhat.com/security/updates/classification/"},"type":"Red Hat severity rating"}},{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":4.3,"baseSeverity":"MEDIUM","confidentialityImpact":"LOW","integrityImpact":"NONE","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N","version":"3.1"},"format":"CVSS"}],"descriptions":[{"lang":"en","value":"A flaw was found in Keycloak. An authenticated user with existing organization membership can exploit this flaw by accessing user-facing APIs, such as the account API or by requesting an OpenID Connect (OIDC) token with the 'organization' scope. This allows organization metadata to be disclosed in tokens, even after an administrator has explicitly disabled the Organizations feature, potentially leading to incorrect authorization decisions by resource servers."}],"affected":[{"vendor":"Red Hat","product":"Red Hat build of Keycloak 26.6","collectionURL":"https://catalog.redhat.com/software/containers/","packageName":"rhbk/keycloak-operator-bundle","defaultStatus":"affected","versions":[{"version":"26.6.3-3","lessThan":"*","versionType":"rpm","status":"unaffected"}],"cpes":["cpe:/a:redhat:build_keycloak:26.6::el9"]},{"vendor":"Red Hat","product":"Red Hat build of Keycloak 26.6","collectionURL":"https://catalog.redhat.com/software/containers/","packageName":"rhbk/keycloak-rhel9","defaultStatus":"affected","versions":[{"version":"26.6-6","lessThan":"*","versionType":"rpm","status":"unaffected"}],"cpes":["cpe:/a:redhat:build_keycloak:26.6::el9"]},{"vendor":"Red Hat","product":"Red Hat build of Keycloak 26.6","collectionURL":"https://catalog.redhat.com/software/containers/","packageName":"rhbk/keycloak-rhel9-operator","defaultStatus":"affected","versions":[{"version":"26.6-6","lessThan":"*","versionType":"rpm","status":"unaffected"}],"cpes":["cpe:/a:redhat:build_keycloak:26.6::el9"]},{"vendor":"Red Hat","product":"Red Hat build of Keycloak 26.6.3","collectionURL":"https://access.redhat.com/downloads/content/package-browser/","defaultStatus":"unaffected","packageName":"rhbk/keycloak-rhel9","cpes":["cpe:/a:redhat:build_keycloak:26.6::el9"]}],"references":[{"url":"https://access.redhat.com/errata/RHSA-2026:25097","name":"RHSA-2026:25097","tags":["vendor-advisory","x_refsource_REDHAT"]},{"url":"https://access.redhat.com/errata/RHSA-2026:25098","name":"RHSA-2026:25098","tags":["vendor-advisory","x_refsource_REDHAT"]},{"url":"https://access.redhat.com/security/cve/CVE-2026-9791","tags":["vdb-entry","x_refsource_REDHAT"]},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2482458","name":"RHBZ#2482458","tags":["issue-tracking","x_refsource_REDHAT"]}],"datePublic":"2026-05-28T03:08:53.319Z","problemTypes":[{"descriptions":[{"cweId":"CWE-863","description":"Incorrect Authorization","lang":"en","type":"CWE"}]}],"x_redhatCweChain":"CWE-863: Incorrect Authorization","workarounds":[{"lang":"en","value":"Administrators should verify that disabling the Organizations feature properly blocks all organization-related functionality. Consider implementing additional access controls or removing organization memberships before disabling the feature."}],"timeline":[{"lang":"en","time":"2026-05-28T03:06:33.000Z","value":"Reported to Red Hat."},{"lang":"en","time":"2026-05-28T03:08:53.319Z","value":"Made public."}],"credits":[{"lang":"en","value":"Red Hat would like to thank Evan Hendra (Independent Security Researcher) for reporting this issue."}],"providerMetadata":{"orgId":"53f830b8-0a3f-465b-8143-3b8a9948e749","shortName":"redhat","dateUpdated":"2026-06-10T21:21:55.907Z"},"x_generator":{"engine":"cvelib 1.8.0"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-05-28T12:18:58.165713Z","id":"CVE-2026-9791","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-05-28T12:19:24.869Z"}}]}}