PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-9791 Red Hat CVE debrief

A medium-severity information disclosure vulnerability in Keycloak allows authenticated users with existing organization membership to obtain organization metadata in tokens even after administrators disable the Organizations feature. The flaw affects user-facing APIs including the account API and OIDC token requests with the 'organization' scope. This residual data exposure may lead to incorrect authorization decisions by resource servers that rely on token claims. The vulnerability was published on 2026-05-28 and is currently undergoing analysis in the NVD. Red Hat has assigned this CVE and is tracking it in their Bugzilla system.

Vendor
Red Hat
Product
Red Hat Build of Keycloak
CVSS
MEDIUM 4.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-28
Original CVE updated
2026-05-28
Advisory published
2026-05-28
Advisory updated
2026-05-28

Who should care

Organizations running Keycloak identity and access management with the Organizations feature previously enabled; security teams responsible for OIDC/OAuth2 token validation and authorization policy enforcement; application owners relying on organization claims for access control decisions; compliance teams monitoring for residual data exposure after feature disablement

Technical summary

The vulnerability stems from incomplete enforcement of the Organizations feature disablement in Keycloak's token issuance pipeline. When an administrator disables the Organizations feature, the system fails to properly sanitize or suppress organization-related claims in tokens issued to users who retain existing organization membership. The attack surface includes: (1) the account API, which may return organization metadata in responses or token introspection; and (2) OIDC token requests specifying the 'organization' scope, where the authorization server incorrectly includes organization claims despite feature disablement. Resource servers consuming these tokens may make authorization decisions based on stale or unintended organization membership data. The CVSS 4.3 score reflects limited confidentiality impact (C:L) with no integrity or availability effects. The authenticated nature of the attack (PR:L) and network accessibility (AV:N) make this exploitable by any compromised or malicious user account with prior organization membership.

Defensive priority

medium

Recommended defensive actions

  • Review Keycloak configuration to verify Organizations feature disablement is properly enforced across all token issuance paths
  • Audit existing OIDC clients and account API access for organization scope usage
  • Inspect access tokens and ID tokens for residual organization claims when Organizations feature is disabled
  • Monitor resource server authorization decisions for unexpected organization-based access grants
  • Apply vendor patches when available from Red Hat/Keycloak maintainers
  • Consider implementing additional token claim validation at resource servers to reject unexpected organization metadata

Evidence notes

CVE description confirms authenticated attack vector with PR:L (Privileges Required: Low). CVSS 4.3 (MEDIUM) with vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N indicates network-accessible, low-complexity attack requiring authenticated access. CWE-863 (Incorrect Authorization) classification from Red Hat. Source references confirm Red Hat as the assigning CNA with active tracking.

Official resources

2026-05-28