AIKIDO-2026-11086
keycloak-services is vulnerable to Incorrect Authorization
27
Low Risk
This Affects:
keycloak-servicesTL;DR
Keycloak's group members endpoint (/admin/realms/{realm}/groups/{id}/members) did not enforce user profile attribute permissions when returning user representations. An administrator denied view access to specific attributes, such as email or name, could still receive those restricted attributes through group member responses, even though the regular user list endpoint hid them correctly. Organization member representations were also affected. Version 26.6.3 fixes the issue by enforcing user profile attribute permissions on group and organization members endpoints.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
keycloak-services is vulnerable to Incorrect Authorization in versions 26.2.0 - 26.6.2.
How to fix this
Upgrade the org.keycloak:keycloak-services library to the patch version.
Links
GitHub Release
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant