CVE-2026-9083 | A flaw was found in Keycloak. A realm administrator with the… | CVSS 4.9 MEDIUM

Description

A flaw was found in Keycloak. A realm administrator with the "manage-realm" role can exploit this vulnerability by submitting an arbitrary filesystem path as a keystore parameter when creating a key provider component. This allows the administrator to probe arbitrary filesystem paths, determining which files exist and are readable by the Keycloak process. This information disclosure could be used to identify high-value targets for follow-on attacks.

Metadata

CVE ID: CVE-2026-9083
State: PUBLISHED
Assigner: redhat
Reserved: 2026-05-20 14:11 UTC
Published: 2026-06-25 16:17 UTC
Last updated: 2026-06-25 17:53 UTC
Primary CWE: CWE-22
Improper Limitation of a Pathname to a Restricted Directory …
Vendor / Product: Red Hat / Red Hat Build of Keycloak
Sources: cve.org · NVD

Severity & Metrics

4.9 MEDIUM CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

SSVC — CISA Coordinator

Exploitation: none
Automatable: no
Tech. Impact: partial

Affected products (1)

Vendor	Product	Platform	Versions
Red Hat	Red Hat Build of Keycloak	—	—

Weakness (CWE)

CWE	Source	Description
CWE-22	cna	Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSS scores (1)

Score	Severity	Version	Source	Vector
4.9	MEDIUM	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

References (2)