CVE-2026-9796

EUVD-2026-32716

28.05.2026, 05:16

A flaw was found in Keycloak. An authenticated administrator with the `manage-clients` role can exploit a Time-of-check to time-of-use (TOCTOU) vulnerability in the name-based admin role checks. This allows the attacker to escalate their privileges to `realm-admin` for all users within the realm, granting them extensive control over the system. The composite role relationship persists even after the attacker's own permissions are revoked and across system reboots.

TOCTOU

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	6.5 MEDIUM	NETWORK	LOW	HIGH	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: 6%

Common Weakness Enumeration

CWE-367 - Time-of-check Time-of-use (TOCTOU) Race Condition
The software checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check. This can cause the software to perform invalid actions when the resource is in an unexpected state.

Vulnerability Media Exposure

[GERMAN] Keycloak: Mehrere Schwachstellen
Ein Angreifer kann mehrere Schwachstellen in Keycloak ausnutzen, um seine Privilegien zu erhöhen, um Informationen offenzulegen, um Sicherheitsvorkehrungen zu umgehen und um einen Denial of Service Angriff durchzuführen.
Published: 2026-05-27T22:00:00+00:00

References

https://access.redhat.com/security/cve/CVE-2026-9796

https://bugzilla.redhat.com/show_bug.cgi?id=2482464