PatchSiren cyber security CVE debrief
CVE-2026-16072 Red Hat CVE debrief
A flaw was found in the organization management component of Keycloak. A delegated administrator with permission to manage organizations can create an invitation for a non-existent email address and then retrieve the secret registration link directly through the application programming interface. By using this link, the administrator can create new user accounts and add them to the organization without having the required user management permissions or access to the invited email account. This allows an administrator to bypass security boundaries and add unauthorized members to an organization. The CVE record was published on 2026-07-17T14:17:21.860Z and has not been modified since then.
- Vendor
- Red Hat
- Product
- Red Hat Build of Keycloak
- CVSS
- MEDIUM 4.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-17
- Original CVE updated
- 2026-07-17
- Advisory published
- 2026-07-17
- Advisory updated
- 2026-07-17
Who should care
Users of Keycloak, particularly those with delegated administrator permissions, security teams, and vulnerability management teams should be aware of this vulnerability and take steps to mitigate it by reviewing and restricting delegated administrator permissions, monitoring organization membership changes, and implementing additional access controls for user management.
Technical summary
The vulnerability exists in the organization management component of Keycloak. A delegated administrator can exploit this flaw by creating an invitation for a non-existent email address and then retrieving the secret registration link through the API. This allows the administrator to create new user accounts and add them to the organization without proper permissions, potentially bypassing security boundaries.
Defensive priority
Medium
Recommended defensive actions
- Review and restrict delegated administrator permissions
- Monitor organization membership changes
- Implement additional access controls for user management
- Confirm whether affected Keycloak deployments exist in managed environments and assign an owner for follow-up.
- Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance.
- Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed.
- Check relevant monitoring, detection, and logs for exposed assets that need extra review.
Evidence notes
The CVE record was published on 2026-07-17T14:17:21.860Z and has not been modified since then. The NVD entry is currently being reviewed. Evidence is limited to CVE and NVD details. Defenders should verify Keycloak organization management component configurations and monitor for suspicious user account creations.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-17T14:17:21.860Z and has not been modified since then.