LOW 2.7
GHSA-6g26-7cx5-mrrg
Keycloak: Information disclosure due to user profile permission bypass
상세
A flaw was found in org.keycloak.services. An administrator with delegated access to read group memberships and users can bypass user profile permissions by accessing the group members endpoint. This allows the administrator to view user attributes that are explicitly configured to be denied, leading to information disclosure.
이 버전이 영향받나요?
사용 중인 패키지 버전을 입력하면 즉시 평가합니다.
영향 패키지
Maven / org.keycloak:keycloak-services
최초 영향 버전:
0 수정 버전: 26.7.0 수정
# pom.xml: bump <version>26.7.0</version> for org.keycloak:keycloak-services 참고
- https://nvd.nist.gov/vuln/detail/CVE-2026-9088 [ADVISORY]
- https://github.com/keycloak/keycloak/issues/49174 [WEB]
- https://github.com/keycloak/keycloak/pull/49391 [WEB]
- https://github.com/keycloak/keycloak/commit/bf0df40a91a05e550891dcdae2d922b556db7e7b [WEB]
- https://access.redhat.com/errata/RHSA-2026:25097 [WEB]
- https://access.redhat.com/errata/RHSA-2026:25098 [WEB]
- https://access.redhat.com/errata/RHSA-2026:30049 [WEB]
- https://access.redhat.com/errata/RHSA-2026:30050 [WEB]
- https://access.redhat.com/security/cve/CVE-2026-9088 [WEB]
- https://bugzilla.redhat.com/show_bug.cgi?id=2480179 [WEB]
- https://github.com/keycloak/keycloak [PACKAGE]