Keycloak Admin API Auth Bypass: Org Membership Enumeration
CVE-2026-2366 Published on March 12, 2026
Keycloak: keycloak: information disclosure via authorization bypass in admin api
A flaw was found in Keycloak. An authorization bypass vulnerability in the Keycloak Admin API allows any authenticated user, even those without administrative privileges, to enumerate the organization memberships of other users. This information disclosure occurs if the attacker knows the victim's unique identifier (UUID) and the Organizations feature is enabled.
Vulnerability Analysis
CVE-2026-2366 is exploitable with network access, and requires small amount of user privileges. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality, a small impact on integrity and availability.
Timeline
Reported to Red Hat.
Made public.
Weakness Type
What is an Insecure Direct Object Reference / IDOR Vulnerability?
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
CVE-2026-2366 has been classified to as an Insecure Direct Object Reference / IDOR vulnerability or weakness.
Products Associated with CVE-2026-2366
Want to know whenever a new CVE is published for Red Hat Build Keycloak? stack.watch will email you.
