CVE-2026-9088

CVE Database · CVE-2026-9088

CVE-2026-9088

· LOWAwaiting Analysis

CVSS v3.1

2.7

EPSS

0.32%

Published

Jun 5, 2026

Modified

Jun 10, 2026

Public PoC / Exploit

All weaponized →

No public PoC or exploit code indexed for this CVE.

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

A flaw was found in org.keycloak.services. An administrator with delegated access to read group memberships and users can bypass user profile permissions by accessing the group members endpoint. This allows the administrator to view user attributes that are explicitly configured to be denied, leading to information disclosure.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N

Weaknesses (CWE)

CWE-1220

References (4)

https://access.redhat.com/errata/RHSA-2026:25097

https://access.redhat.com/errata/RHSA-2026:25098

https://access.redhat.com/security/cve/CVE-2026-9088

https://bugzilla.redhat.com/show_bug.cgi?id=2480179

KEV Catalog EPSS Scores Vendors All CVEs