CVE-2026-2366: Keycloak vulnerable to authorization bypass via the Admin API

March 12, 2026

A flaw was found in Keycloak. An authorization bypass vulnerability in the Keycloak Admin API allows any authenticated user, even those without administrative privileges, to enumerate the organization memberships of other users. This information disclosure occurs if the attacker knows the victim’s unique identifier (UUID) and the Organizations feature is enabled.

References

access.redhat.com/security/cve/CVE-2026-2366
bugzilla.redhat.com/show_bug.cgi?id=2439081
github.com/advisories/GHSA-r8jr-wg88-fq5c
github.com/keycloak/keycloak
github.com/keycloak/keycloak/issues/47062
nvd.nist.gov/vuln/detail/CVE-2026-2366

Code Behaviors & Features

Detect and mitigate CVE-2026-2366 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →