CVE-2026-9099: Authorization Bypass Through User-Controlled Key in Red Hat Red Hat Build of Keycloak
CVE-2026-9099 is a vulnerability in Red Hat Build of Keycloak where a missing authorization check in the GroupResource.addChild() endpoint allows an authenticated user with limited administrative privileges to reparent any existing group. When Fine-Grained Admin Permissions v2 is enabled, this enables an attacker managing a low-privilege group to reparent a highly privileged group under their control, gaining unauthorized management and password-reset capabilities over privileged group members. This can lead to resetting an administrator's password and full realm takeover.
AI Analysis
Technical Summary
The vulnerability in Red Hat Build of Keycloak arises from a missing authorization check in the GroupResource.addChild() endpoint of the Admin REST API. An authenticated user with limited administrative privileges can reparent any existing group. With Fine-Grained Admin Permissions v2 enabled, an attacker managing a low-privilege group can reparent a highly privileged group (e.g., one with realm-admin role) under their group. Because group permissions are hierarchical, this grants the attacker management and password-reset capabilities over the privileged group's members, enabling them to reset administrator passwords and achieve full realm compromise, affecting confidentiality, integrity, and availability.
Potential Impact
Successful exploitation allows an attacker with limited administrative privileges to escalate their control by reparenting highly privileged groups under their own, thereby gaining management and password-reset capabilities over privileged users. This can lead to resetting administrator passwords and a complete realm takeover, resulting in full compromise of confidentiality, integrity, and availability of the affected Keycloak realm.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory at https://access.redhat.com/security/cve/CVE-2026-9099 for current remediation guidance. Until an official fix is available, restrict administrative privileges carefully and monitor for suspicious group reparenting activities. Avoid enabling Fine-Grained Admin Permissions v2 if possible until patched.
CVE-2026-9099: Authorization Bypass Through User-Controlled Key in Red Hat Red Hat Build of Keycloak
Description
CVE-2026-9099 is a vulnerability in Red Hat Build of Keycloak where a missing authorization check in the GroupResource.addChild() endpoint allows an authenticated user with limited administrative privileges to reparent any existing group. When Fine-Grained Admin Permissions v2 is enabled, this enables an attacker managing a low-privilege group to reparent a highly privileged group under their control, gaining unauthorized management and password-reset capabilities over privileged group members. This can lead to resetting an administrator's password and full realm takeover.
CVSS v3.1
Score 7.7high
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in Red Hat Build of Keycloak arises from a missing authorization check in the GroupResource.addChild() endpoint of the Admin REST API. An authenticated user with limited administrative privileges can reparent any existing group. With Fine-Grained Admin Permissions v2 enabled, an attacker managing a low-privilege group can reparent a highly privileged group (e.g., one with realm-admin role) under their group. Because group permissions are hierarchical, this grants the attacker management and password-reset capabilities over the privileged group's members, enabling them to reset administrator passwords and achieve full realm compromise, affecting confidentiality, integrity, and availability.
Potential Impact
Successful exploitation allows an attacker with limited administrative privileges to escalate their control by reparenting highly privileged groups under their own, thereby gaining management and password-reset capabilities over privileged users. This can lead to resetting administrator passwords and a complete realm takeover, resulting in full compromise of confidentiality, integrity, and availability of the affected Keycloak realm.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory at https://access.redhat.com/security/cve/CVE-2026-9099 for current remediation guidance. Until an official fix is available, restrict administrative privileges carefully and monitor for suspicious group reparenting activities. Avoid enabling Fine-Grained Admin Permissions v2 if possible until patched.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- redhat
- Date Reserved
- 2026-05-20T15:12:25.740Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
- Vendor Advisory Urls
- [{"url":"https://access.redhat.com/security/cve/CVE-2026-9099","vendor":"Red Hat"}]
Threat ID: 6a3d5b514853345fc13372d1
Added to database: 06/25/2026, 16:46:09 UTC
Last enriched: 06/25/2026, 17:01:01 UTC
Last updated: 06/25/2026, 17:01:01 UTC
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.