CVE-2026-9796— Keycloak: keycloak: privilege escalation via time-of-check to time-of-use (toctou) vulnerability
Affected Version Matrix 1
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Red Hat | Red Hat Build of Keycloak | any | affected |
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-9796
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Keycloak: keycloak: privilege escalation via time-of-check to time-of-use (toctou) vulnerability
Source: NVD (National Vulnerability Database)
Vulnerability Description
A flaw was found in Keycloak. An authenticated administrator with the `manage-clients` role can exploit a Time-of-check to time-of-use (TOCTOU) vulnerability in the name-based admin role checks. This allows the attacker to escalate their privileges to `realm-admin` for all users within the realm, granting them extensive control over the system. The composite role relationship persists even after the attacker's own permissions are revoked and across system reboots.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
检查时间与使用时间(TOCTOU)的竞争条件
Source: NVD (National Vulnerability Database)
Vulnerability Title
Keycloak 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Keycloak是Keycloak开源的一种开源身份和访问管理解决方案。 Keycloak存在安全漏洞,该漏洞源于具有manage-clients角色的经过身份验证的管理员可利用基于名称的管理员角色检查中的检查时间到使用时间漏洞,可能导致攻击者将其权限提升为领域内所有用户的realm-admin角色,从而获得对系统的广泛控制,且复合角色关系在攻击者权限被撤销和系统重启后仍然存在。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| Red Hat | Red Hat Build of Keycloak | - | cpe:/a:redhat:build_keycloak: |
II. Public POCs for CVE-2026-9796
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-9796
请登录查看更多情报信息。
Vendor Advisories for CVE-2026-9796 (1)
Other References for CVE-2026-9796 (1)
Same Patch Batch · Red Hat · 2026-05-28 · 14 CVEs total
| CVE-2026-4408 | 9.0 CRITICAL | Samba: remote code execution in samr |
| CVE-2026-9804 | 7.7 HIGH | Kubevirt: kubevirt: vmexport directory symlink escape enables exporter pod file read |
| CVE-2026-9795 | 7.3 HIGH | Keycloak: keycloak: privilege escalation via improper scope mapping enforcement |
| CVE-2026-44604 | 7.0 HIGH | Rpm: command injection in rpmuncompress dountar() via unescaped archive top-level director |
| CVE-2026-9802 | 6.8 MEDIUM | Keycloak: keycloak: unauthorized account access via replayed refresh tokens after cluster |
| CVE-2026-9792 | 6.5 MEDIUM | Keycloak: keycloak: security restriction bypass allows unauthorized ropc token acquisition |
| CVE-2026-9793 | 5.9 MEDIUM | Keycloak: keycloak: security policy bypass in jwe-encrypted request object processing |
| CVE-2026-9794 | 5.3 MEDIUM | Keycloak: keycloak: information disclosure via saml ecp endpoint |
| CVE-2026-9803 | 5.3 MEDIUM | Keycloak: keycloak: denial of service via malformed authorization header |
| CVE-2026-9801 | 4.9 MEDIUM | Keycloak: keycloak: denial of service via malformed ldap password policy response |
| CVE-2026-9791 | 4.3 MEDIUM | Keycloak-rhel9: organization data leak after feature disabled in keycloak |
| CVE-2026-9798 | 4.3 MEDIUM | Keycloak: keycloak: brute-force protection bypass in ciba flow |
| CVE-2026-10028 | 4.3 MEDIUM | Glib-networking: infinite loop in glib-networking gnutls backend allows remote denial of s |
IV. Related Vulnerabilities
Same product: Red Hat Build of Keycloak
- CVE-2026-9802
Keycloak: keycloak: unauthorized account access via replayed - CVE-2026-9803
Keycloak: keycloak: denial of service via malformed authoriz - CVE-2026-9801
Keycloak: keycloak: denial of service via malformed ldap pas - CVE-2026-9798
Keycloak: keycloak: brute-force protection bypass in ciba fl - CVE-2026-9795
Keycloak: keycloak: privilege escalation via improper scope
Same vendor: Red Hat
- CVE-2026-10101
Assisted-service: assisted-service: infraenv status leaks re - CVE-2026-42965
Openshift/router: openshift/router: cloud metadata ssrf via - CVE-2026-46579
Openshift/router: openshift/router: mtls client certificate - CVE-2026-10078
Quay/config-tool: quay/config-tool: gitlab oauth client_secr - CVE-2026-10052
Quay/config-tool: quay/config-tool: ssrf via unfiltered ldap
Same weakness: CWE-367
- CVE-2026-45619
AVideo CVE-2026-43884 incomplete fix - `isSSRFSafeURL()` cal - CVE-2026-42336
MaxKB: SSRF Bypass via DNS Rebinding in MaxKB OSS URL Fetch - CVE-2026-24191
NVIDIA Display Driver 安全漏洞 - CVE-2026-45208
Trend Micro Apex One和TrendAI Vision One Endpoint Security - - CVE-2026-7837
TOCTOU with root privilege in ad_flush
V. Comments for CVE-2026-9796
No comments yet