PT-2026-44187 · Red Hat · Keycloak

Daniel Peters

+2

·

Published

2026-05-28

·

Updated

2026-06-03

·

CVE-2026-9796

CVSS v3.1

6.5

Medium

VectorAV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
Name of the Vulnerable Software and Affected Versions Keycloak (affected versions not specified)
Description An authenticated administrator possessing the manage-clients role can exploit a Time-of-check to time-of-use (TOCTOU) flaw in name-based admin role checks. TOCTOU is a race condition where a system checks a condition and then uses the result of that check, but the condition changes between the check and the use. This allows an attacker to escalate privileges to realm-admin for all users within the realm, providing extensive system control. The composite role relationship remains active even after the attacker's permissions are revoked or the system is rebooted.
Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

LPE

Time Of Check To Time Of Use

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-9796
GHSA-PQ65-77RC-7R8C

Affected Products

Keycloak