Keycloak: keycloak: privilege escalation via time-of-check to time-of-use (toctou) vulnerability

6.5 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

Description

A flaw was found in Keycloak. An authenticated administrator with the `manage-clients` role can exploit a Time-of-check to time-of-use (TOCTOU) vulnerability in the name-based admin role checks. This allows the attacker to escalate their privileges to `realm-admin` for all users within the realm, granting them extensive control over the system. The composite role relationship persists even after the attacker's own permissions are revoked and across system reboots.

Basic Information

ID CVE-2026-9796

Source redhat

Published May 28, 2026 at 04:27

Affected Product

Vendor Red Hat

Product Red Hat Build of Keycloak

CWE Classification

CWE-367

References

{
    "lastseen": "",
    "description": "A flaw was found in Keycloak. An authenticated administrator with the `manage-clients` role can exploit a Time-of-check to time-of-use (TOCTOU) vulnerability in the name-based admin role checks. This allows the attacker to escalate their privileges to `realm-admin` for all users within the realm, granting them extensive control over the system. The composite role relationship persists even after the attacker's own permissions are revoked and across system reboots.",
    "published": "2026-05-28T04:27:08.794Z",
    "modified": "2026-05-28T04:27:08.794Z",
    "type": "cve",
    "title": "Keycloak: keycloak: privilege escalation via time-of-check to time-of-use (toctou) vulnerability",
    "source": "redhat",
    "references": "https://access.redhat.com/security/cve/CVE-2026-9796\nhttps://bugzilla.redhat.com/show_bug.cgi?id=2482464",
    "id": "CVE-2026-9796",
    "bulletinFamily": "",
    "cwe": [
        "CWE-367"
    ],
    "cvelist": null,
    "sourceData": "",
    "sourceHref": "",
    "cvss": {
        "score": 6.5,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Red Hat Build of Keycloak",
    "version": "",
    "vendor": "Red Hat",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Keycloak: keycloak: privilege escalation via time-of-check to time-of-use (toctou) vulnerability_CVE-2026-9796