CVE-2026-2366 — Keycloak vulnerable to authorization bypass via the Admin API

Description

A flaw was found in Keycloak. An authorization bypass vulnerability in the Keycloak Admin API allows any authenticated user, even those without administrative privileges, to enumerate the organization memberships of other users. This information disclosure occurs if the attacker knows the victim's unique identifier (UUID) and the Organizations feature is enabled.

How to fix CVE-2026-2366

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

—no fix listed
—no fix listed

Is CVE-2026-2366 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, <= 26.5.5
from 0, <= 26.5.5

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	LOW3.1	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

References (7)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-2366
PATCHgithub.com/keycloak/keycloak
WEBaccess.redhat.com/errata/RHSA-2026:6477
WEBaccess.redhat.com/errata/RHSA-2026:6478
WEBaccess.redhat.com