PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-16072 Red Hat CVE debrief

A flaw was found in the organization management component of Keycloak. A delegated administrator with permission to manage organizations can create an invitation for a non-existent email address and then retrieve the secret registration link directly through the application programming interface. By using this link, the administrator can create new user accounts and add them to the organization without having the required user management permissions or access to the invited email account. This allows an administrator to bypass security boundaries and add unauthorized members to an organization. The CVE record was published on 2026-07-17T14:17:21.860Z and has not been modified since then.

Vendor
Red Hat
Product
Red Hat Build of Keycloak
CVSS
MEDIUM 4.9
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-17
Original CVE updated
2026-07-17
Advisory published
2026-07-17
Advisory updated
2026-07-17

Who should care

Users of Keycloak, particularly those with delegated administrator permissions, security teams, and vulnerability management teams should be aware of this vulnerability and take steps to mitigate it by reviewing and restricting delegated administrator permissions, monitoring organization membership changes, and implementing additional access controls for user management.

Technical summary

The vulnerability exists in the organization management component of Keycloak. A delegated administrator can exploit this flaw by creating an invitation for a non-existent email address and then retrieving the secret registration link through the API. This allows the administrator to create new user accounts and add them to the organization without proper permissions, potentially bypassing security boundaries.

Defensive priority

Medium

Recommended defensive actions

  • Review and restrict delegated administrator permissions
  • Monitor organization membership changes
  • Implement additional access controls for user management
  • Confirm whether affected Keycloak deployments exist in managed environments and assign an owner for follow-up.
  • Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance.
  • Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed.
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review.

Evidence notes

The CVE record was published on 2026-07-17T14:17:21.860Z and has not been modified since then. The NVD entry is currently being reviewed. Evidence is limited to CVE and NVD details. Defenders should verify Keycloak organization management component configurations and monitor for suspicious user account creations.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-17T14:17:21.860Z and has not been modified since then.