CVE-2026-9796

Vulnerability

A time-of-check to time-of-use (TOCTOU) flaw exists in the name-based admin role checks of Keycloak [1][2]. An authenticated administrator holding the manage-clients role can trigger a race condition that bypasses the intended permission verification, allowing the attacker to gain the realm-admin composite role. The vulnerability persists even after the attacker's own manage-clients permissions are revoked and survives system reboots. The precise affected versions are not publicly specified in the available references; however, the flaw was reported in May 2026 [1][2].

Exploitation

The attacker must have an authenticated Keycloak administrative session with the manage-clients role [1][2]. Exploitation exploits a TOCTOU race window between the time a role is checked by name and the time it is used for authorization. The attacker likely manipulates client-related operations to trigger this race, resulting in the assignment of the realm-admin role. No further user interaction or network position beyond the admin console is required [2].

Impact

Successful exploitation escalates the attacker's privileges from a limited manage-clients administrator to realm-admin for all users within the same realm [1][2]. This grants extensive control over the Keycloak realm, including the ability to manage users, roles, clients, and authentication flows—effectively compromising the entire realm's confidentiality, integrity, and availability.

Mitigation

As of the publication date (2026-05-28), no patch or fixed version has been released [1][2]. Red Hat has acknowledged the vulnerability (Bugzilla 2482464) but has not yet provided a mitigation or workaround. Administrators should monitor Red Hat's security advisories for an upcoming update. There is no known inclusion in CISA's Known Exploited Vulnerabilities (KEV) catalog for this CVE.