Intel

AIKIDO-2026-836209

keycloak-services is vulnerable to Privilege Escalation

Privilege EscalationCVE-2026-9099 Published 3 days ago

77

High Risk

This Affects:

JAVAkeycloak-services
1.0.1.Final - 26.6.3
Fixed in 26.6.4
Are you affected? Scan for Free

TL;DR

The GroupResource.addChild endpoint in the Admin REST API is missing an authorization check when reparenting groups. With Fine-Grained Admin Permissions v2 enabled, a user who manages a single low-privilege group can move a highly privileged group underneath it. Because group permissions are inherited hierarchically, this grants management and password-reset rights over the privileged group's members and can lead to full realm takeover. The fix enforces authorization on the reparent operation.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and Fine-Grained Admin Permissions v2 is enabled.

Background info

keycloak-services is vulnerable to Privilege Escalation in versions 1.0.1.Final - 26.6.3.

How to fix this

Upgrade the org.keycloak:keycloak-services library to the patch version.