CVE-2026-9791 Keycloak-rhel9: organization data leak after feature disabled in keycloak

A flaw was found in Keycloak. An authenticated user with existing organization membership can exploit this flaw by accessing user-facing APIs, such as the account API or by requesting an OpenID Connect OIDC token with the 'organization' scope. This allows organization metadata to be disclosed in...

CVE-2026-9791

A flaw was found in Keycloak. An authenticated user with existing organization membership can exploit this flaw by accessing user-facing APIs, such as the account API or by requesting an OpenID Connect OIDC token with the 'organization' scope. This allows organization metadata to be disclosed in...

CVE-2026-4633

A flaw was found in Keycloak. A remote attacker can exploit differential error messages during the identity-first login flow when Organizations are enabled. This vulnerability allows an attacker to determine the existence of users, leading to information disclosure through user enumeration...

Keycloak 26.x < 26.0.10 / 26.1.x < 26.1.3 / 26.2.0 Improper Authorization

The version of Keycloak installed on the remote host is 26.0 prior to 26.0.10, 26.1 prior to 26.1.3, or prior to 26.2.0. It is, therefore, affected by an Improper Authorization vulnerability. A flaw was found in the Keycloak organization feature, which allows the incorrect assignment of an...

GHSA-RQ4W-CJRR-H8W8 Duplicate Advisory: Keycloak allows Incorrect Assignment of an Organization to a User

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-gvgg-2r3r-53x7. This link is maintained to preserve external references. Original Description A flaw was found in the Keycloak organization feature, which allows the incorrect assignment of an organization to a...