CVE-2026-16072 PUBLISHED

Keycloak-services: keycloak-services: organization invitation link exposure allows unauthorized member creation

Assigner: redhat
Reserved: 17.07.2026 Published: 17.07.2026 Updated: 17.07.2026

A flaw was found in the organization management component of Keycloak. A delegated administrator with permission to manage organizations can create an invitation for a non-existent email address and then retrieve the secret registration link directly through the application programming interface. By using this link, the administrator can create new user accounts and add them to the organization without having the required user management permissions or access to the invited email account. This allows an administrator to bypass security boundaries and add unauthorized members to an organization.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
CVSS Score: 4.9

Product Status

Vendor Red Hat
Product Red Hat Build of Keycloak
Versions Default: affected
Vendor Red Hat
Product Red Hat Build of Keycloak
Versions Default: affected
Vendor Red Hat
Product Red Hat Build of Keycloak
Versions Default: affected
Vendor Red Hat
Product Red Hat Data Grid 8
Versions Default: unaffected
Vendor Red Hat
Product Red Hat JBoss Enterprise Application Platform Expansion Pack
Versions Default: unaffected
Vendor Red Hat
Product Red Hat Single Sign-On 7
Versions Default: unaffected

Credits

  • Red Hat would like to thank Paul Bottinelli (Trail of Bits) for reporting this issue.

References