CVE-2026-9088: Insufficient Granularity of Access Control in Red Hat Red Hat Build of Keycloak
CVE-2026-9088 is a low-severity vulnerability in Red Hat Build of Keycloak where an administrator with delegated read access to group memberships and users can bypass user profile permissions. This flaw allows the administrator to access the group members endpoint and view user attributes that should be denied, resulting in information disclosure. There is no confirmed patch or official remediation guidance from Red Hat as of the published date. The vulnerability does not impact system integrity or availability and no known exploits are reported in the wild.
AI Analysis
Technical Summary
The vulnerability in Red Hat Build of Keycloak (CVE-2026-9088) arises from insufficient granularity in access control. Specifically, an administrator granted delegated read access to group memberships and users can circumvent user profile permission restrictions by querying the group members endpoint. This bypass enables the administrator to view user attributes explicitly configured to be denied, causing unauthorized information disclosure. The CVSS score is 2.7 (low severity), reflecting limited impact confined to confidentiality. No patch or remediation level has been officially provided by Red Hat at this time.
Potential Impact
The impact is limited to information disclosure of user attributes that should be restricted. There is no impact on integrity or availability. The vulnerability requires an administrator-level user with delegated read access, reducing the likelihood of exploitation by lower-privileged actors. No known exploits exist in the wild.
Mitigation Recommendations
Patch status is not yet confirmed — check the Red Hat advisory at https://access.redhat.com/security/cve/CVE-2026-9088 for current remediation guidance. Until an official fix is available, organizations should review and potentially restrict delegated administrator permissions to minimize exposure. No vendor advisory indicates that no action is required or that the issue is already mitigated.
CVE-2026-9088: Insufficient Granularity of Access Control in Red Hat Red Hat Build of Keycloak
Description
CVE-2026-9088 is a low-severity vulnerability in Red Hat Build of Keycloak where an administrator with delegated read access to group memberships and users can bypass user profile permissions. This flaw allows the administrator to access the group members endpoint and view user attributes that should be denied, resulting in information disclosure. There is no confirmed patch or official remediation guidance from Red Hat as of the published date. The vulnerability does not impact system integrity or availability and no known exploits are reported in the wild.
CVSS v3.1
Score 2.7low
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in Red Hat Build of Keycloak (CVE-2026-9088) arises from insufficient granularity in access control. Specifically, an administrator granted delegated read access to group memberships and users can circumvent user profile permission restrictions by querying the group members endpoint. This bypass enables the administrator to view user attributes explicitly configured to be denied, causing unauthorized information disclosure. The CVSS score is 2.7 (low severity), reflecting limited impact confined to confidentiality. No patch or remediation level has been officially provided by Red Hat at this time.
Potential Impact
The impact is limited to information disclosure of user attributes that should be restricted. There is no impact on integrity or availability. The vulnerability requires an administrator-level user with delegated read access, reducing the likelihood of exploitation by lower-privileged actors. No known exploits exist in the wild.
Mitigation Recommendations
Patch status is not yet confirmed — check the Red Hat advisory at https://access.redhat.com/security/cve/CVE-2026-9088 for current remediation guidance. Until an official fix is available, organizations should review and potentially restrict delegated administrator permissions to minimize exposure. No vendor advisory indicates that no action is required or that the issue is already mitigated.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- redhat
- Date Reserved
- 2026-05-20T15:01:48.645Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
- Vendor Advisory Urls
- [{"url":"https://access.redhat.com/security/cve/CVE-2026-9088","vendor":"Red Hat"}]
Threat ID: 6a2282d7e29bf47b504a396f
Added to database: 6/5/2026, 8:03:35 AM
Last enriched: 6/5/2026, 8:18:34 AM
Last updated: 6/5/2026, 9:14:00 AM
Views: 12
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.