Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
3.1
Keycloak: Unauthorized Access to User Organization Memberships
CVE-2026-2366
GHSA-r8jr-wg88-fq5c
Summary
Keycloak's Admin API allows any authenticated user to see who's in other users' organizations if they know the user's ID and the organization feature is turned on. This means an attacker could get information about who's in a user's group without needing special permissions. To fix this, Keycloak users should ensure only authorized users have access to the Admin API.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| keycloak | keycloak-admin-client | <= 26.5.5 | – |
| – | org.keycloak:keycloak-js-admin-client | <= 26.5.5 | – |
Original title
Keycloak vulnerable to authorization bypass via the Admin API
Original description
A flaw was found in Keycloak. An authorization bypass vulnerability in the Keycloak Admin API allows any authenticated user, even those without administrative privileges, to enumerate the organization memberships of other users. This information disclosure occurs if the attacker knows the victim's unique identifier (UUID) and the Organizations feature is enabled.
nvd CVSS3.1
3.1
Vulnerability type
CWE-639
Authorization Bypass Through User-Controlled Key
Published: 12 Mar 2026 · Updated: 13 Mar 2026 · First seen: 12 Mar 2026