PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-9099 Red Hat CVE debrief

CVE-2026-9099 is a high-severity vulnerability in Keycloak that allows an authenticated user to reparent a highly privileged group, potentially leading to a full realm takeover. The flaw is caused by a missing authorization check in the GroupResource.addChild() endpoint within the Admin REST API. When Fine-Grained Admin Permissions v2 (FGAPv2) is enabled, an attacker with management rights over a single low-privilege group can reparent a highly privileged group under their managed group. This action unauthorizedly grants the attacker management and password-reset capabilities over the members of the targeted privileged group. An attacker can exploit this to reset an administrator's password, compromise the account, and achieve a full realm takeover, leading to a complete compromise of confidentiality, integrity, and availability.

Vendor
Red Hat
Product
Red Hat build of Keycloak 26.4
CVSS
HIGH 7.7
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-25
Original CVE updated
2026-07-01
Advisory published
2026-06-25
Advisory updated
2026-07-01

Who should care

Administrators and users of Keycloak, particularly those with Fine-Grained Admin Permissions v2 (FGAPv2) enabled, should be aware of this vulnerability and take immediate action to mitigate it. This vulnerability can be exploited by an authenticated user with limited administrative privileges, making it a high-risk issue for organizations using Keycloak.

Technical summary

The vulnerability is caused by a missing authorization check in the GroupResource.addChild() endpoint within the Admin REST API of Keycloak. This allows an authenticated user with management rights over a single low-privilege group to reparent a highly privileged group under their managed group when Fine-Grained Admin Permissions v2 (FGAPv2) is enabled. The CVSS score for this vulnerability is 7.7, indicating a high severity level. The vulnerability is classified under CWE-639.

Defensive priority

High priority should be given to patching this vulnerability, as it can be exploited by an authenticated user with limited administrative privileges. Immediate action is necessary to prevent potential attacks.

Recommended defensive actions

  • Apply the patches provided by Red Hat to address this vulnerability.
  • Restrict access to the Admin REST API to only trusted users and groups.
  • Monitor for any suspicious activity related to group reparenting.
  • Consider disabling Fine-Grained Admin Permissions v2 (FGAPv2) if not necessary.
  • Implement additional security measures, such as multi-factor authentication and regular password rotation.

Evidence notes

The CVE record and NVD detail provide information on the vulnerability, its severity, and potential impact. Red Hat has provided errata and patches to address this vulnerability. The Bugzilla entry provides additional details on the issue.

Official resources

This article was generated with AI assistance based on the supplied source corpus.