PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-9796 Red Hat CVE debrief

A Time-of-check to time-of-use (TOCTOU) vulnerability in Keycloak allows an authenticated administrator with `manage-clients` role to escalate privileges to `realm-admin` for all users within the realm. The attack exploits a race condition in name-based administrative role checks, and the resulting composite role relationship persists even after the attacker's permissions are revoked or following system reboots.

Vendor
Red Hat
Product
Red Hat Build of Keycloak
CVSS
MEDIUM 6.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-28
Original CVE updated
2026-05-28
Advisory published
2026-05-28
Advisory updated
2026-05-28

Who should care

Organizations running Keycloak identity and access management systems, particularly those with delegated administrative models using the `manage-clients` role. Security teams responsible for privilege management, identity administrators, and compliance officers monitoring for unauthorized privilege escalation in IAM infrastructure.

Technical summary

The vulnerability exists in Keycloak's name-based administrative role checking mechanism. An attacker with `manage-clients` role can exploit a race condition between the time a role check is performed and when the role assignment is actually used. This TOCTOU window allows the attacker to establish a composite role relationship that elevates privileges to `realm-admin` scope across all realm users. Critically, this privilege escalation is persistent: the composite role relationship remains intact even if the attacker's original `manage-clients` permissions are subsequently revoked, and survives system reboots. The CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N indicates network attack vector, low attack complexity, high privileges required (administrator), no user interaction, unchanged scope, with high impact to confidentiality and integrity but no availability impact.

Defensive priority

HIGH

Recommended defensive actions

  • Review and audit all Keycloak realm administrators with `manage-clients` role for suspicious composite role assignments
  • Implement role-based access control (RBAC) monitoring to detect unexpected `realm-admin` privilege grants
  • Apply principle of least privilege by restricting `manage-clients` role to only necessary administrative accounts
  • Monitor Keycloak audit logs for anomalous role composition changes, particularly those involving `realm-admin`
  • Verify and remediate any persistent composite role relationships that survive permission revocation or system restart
  • Await and deploy vendor security patches from Red Hat when available
  • Consider implementing additional authorization checks or rate limiting on role modification operations to mitigate TOCTOU conditions

Evidence notes

Official CVE record published 2026-05-28 with CVSS 3.1 score 6.5 (MEDIUM). CWE-367 (TOCTOU Race Condition) identified as primary weakness. Vendor evidence points to Red Hat as source. Vulnerability status marked 'Undergoing Analysis' per NVD.

Official resources

2026-05-28