PatchSiren cyber security CVE debrief
CVE-2026-9099 Red Hat CVE debrief
CVE-2026-9099 is a high-severity vulnerability in Keycloak that allows an authenticated user to reparent a highly privileged group, potentially leading to a full realm takeover. The flaw is caused by a missing authorization check in the GroupResource.addChild() endpoint within the Admin REST API. When Fine-Grained Admin Permissions v2 (FGAPv2) is enabled, an attacker with management rights over a single low-privilege group can reparent a highly privileged group under their managed group. This action unauthorizedly grants the attacker management and password-reset capabilities over the members of the targeted privileged group. An attacker can exploit this to reset an administrator's password, compromise the account, and achieve a full realm takeover, leading to a complete compromise of confidentiality, integrity, and availability.
- Vendor
- Red Hat
- Product
- Red Hat build of Keycloak 26.4
- CVSS
- HIGH 7.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-25
- Original CVE updated
- 2026-07-01
- Advisory published
- 2026-06-25
- Advisory updated
- 2026-07-01
Who should care
Administrators and users of Keycloak, particularly those with Fine-Grained Admin Permissions v2 (FGAPv2) enabled, should be aware of this vulnerability and take immediate action to mitigate it. This vulnerability can be exploited by an authenticated user with limited administrative privileges, making it a high-risk issue for organizations using Keycloak.
Technical summary
The vulnerability is caused by a missing authorization check in the GroupResource.addChild() endpoint within the Admin REST API of Keycloak. This allows an authenticated user with management rights over a single low-privilege group to reparent a highly privileged group under their managed group when Fine-Grained Admin Permissions v2 (FGAPv2) is enabled. The CVSS score for this vulnerability is 7.7, indicating a high severity level. The vulnerability is classified under CWE-639.
Defensive priority
High priority should be given to patching this vulnerability, as it can be exploited by an authenticated user with limited administrative privileges. Immediate action is necessary to prevent potential attacks.
Recommended defensive actions
- Apply the patches provided by Red Hat to address this vulnerability.
- Restrict access to the Admin REST API to only trusted users and groups.
- Monitor for any suspicious activity related to group reparenting.
- Consider disabling Fine-Grained Admin Permissions v2 (FGAPv2) if not necessary.
- Implement additional security measures, such as multi-factor authentication and regular password rotation.
Evidence notes
The CVE record and NVD detail provide information on the vulnerability, its severity, and potential impact. Red Hat has provided errata and patches to address this vulnerability. The Bugzilla entry provides additional details on the issue.
Official resources
-
CVE-2026-9099 CVE record
CVE.org
-
CVE-2026-9099 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Third Party Advisory
-
Mitigation or vendor reference
[email protected] - Third Party Advisory
-
Mitigation or vendor reference
[email protected] - Third Party Advisory
-
Mitigation or vendor reference
[email protected] - Third Party Advisory
-
Mitigation or vendor reference
[email protected] - Third Party Advisory
-
Mitigation or vendor reference
[email protected] - Third Party Advisory
-
Mitigation or vendor reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c - Third Party Advisory
This article was generated with AI assistance based on the supplied source corpus.