CVE-2026-9791 PUBLISHED

Keycloak-rhel9: organization data leak after feature disabled in keycloak

Assigner: redhat
Reserved: 28.05.2026 Published: 28.05.2026 Updated: 28.05.2026

A flaw was found in Keycloak. An authenticated user with existing organization membership can exploit this flaw by accessing user-facing APIs, such as the account API or by requesting an OpenID Connect (OIDC) token with the 'organization' scope. This allows organization metadata to be disclosed in tokens, even after an administrator has explicitly disabled the Organizations feature, potentially leading to incorrect authorization decisions by resource servers.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CVSS Score: 4.3

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	Low
Privileges Required	Low	Integrity Impact	None
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	Red Hat
Product	Red Hat Build of Keycloak
Versions	Default: affected

Workarounds

Administrators should verify that disabling the Organizations feature properly blocks all organization-related functionality. Consider implementing additional access controls or removing organization memberships before disabling the feature.

Credits

Red Hat would like to thank Evan Hendra (Independent Security Researcher) for reporting this issue.

References

Problem Types

Incorrect Authorization CWE