CVE-2026-9099

Description

A flaw was found in Keycloak. A missing authorization check in the GroupResource.addChild() endpoint within the Admin REST API allows an authenticated user with limited administrative privileges to reparent any existing group. When Fine-Grained Admin Permissions v2 (FGAPv2) is enabled, an attacker with management rights over a single low-privilege group can reparent a highly privileged group (such as one possessing the realm-admin role) under their managed group. Because group permissions follow a hierarchical structure, this action unauthorizedly grants the attacker management and password-reset capabilities over the members of the targeted privileged group. An attacker can exploit this to reset an administrator's password, compromise the account, and achieve a full realm takeover, leading to a complete compromise of confidentiality, integrity, and availability.

CVSS breakdown

CVSS 3.1

Attack Vector

Network

Attack Complexity

High

Privileges Required

High

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

None

References

VENDOR_ADVISORYhttps://access.redhat.com/errata/RHSA-2026:30049
VENDOR_ADVISORYhttps://access.redhat.com/errata/RHSA-2026:30050
VENDOR_ADVISORYhttps://access.redhat.com/errata/RHSA-2026:30083
VENDOR_ADVISORYhttps://access.redhat.com/errata/RHSA-2026:30084
VENDOR_ADVISORYhttps://access.redhat.com/security/cve/CVE-2026-9099
MISChttps://bugzilla.redhat.com/show_bug.cgi?id=2480182