Listen to this Post
Intro
CVE-2026-9796 is a Time-of-Check to Time-of-Use (TOCTOU) vulnerability in Keycloak’s admin role validation. An authenticated administrator with the `manage-clients` role can exploit a race condition in the name-based admin role checks. During the window between permission verification and usage, the attacker changes their client name. The system then incorrectly binds the `realm-admin` composite role to the attacker. This grants them full `realm-admin` privileges for every user in the realm. The access remains after their original `manage-clients` role is revoked and persists across system reboots. The flaw is classified under CWE-367 (TOCTOU Race Condition). The CVSS v3.1 score is 6.5 (MEDIUM) with vector CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N. Attack complexity is LOW, requiring network access and HIGH privileges. A remote attacker with high privileges can compromise confidentiality and integrity with NO impact on availability. The vulnerability was published on May 28, 2026.
DailyCVE Form
Platform: Red Hat
Version: Build Keycloak
Vulnerability: TOCTOU Race
Severity: 6.5 Medium
date: 2026-05-28
Prediction: 2026-06-15
What Undercode Say:
Bash commands to enumerate vulnerable clients:
List all clients to identify potential targets kcadm.sh get clients -r MASTER_REALM Check current admin roles for a specific client kcadm.sh get clients/CLIENT_ID/roles -r MASTER_REALM Monitor composite role assignments in real-time watch -n 1 'kcadm.sh get clients/CLIENT_ID/roles -r MASTER_REALM'
Exploit:
The attacker races a client rename operation against the role check. They send concurrent requests: one to rename a client and another to assign the `realm-admin` role. If the rename wins the race, the role check binds to the wrong client name, granting permanent `realm-admin` access.
Protection:
Apply Keycloak security patches immediately. Audit administrative role assignments and remove unnecessary `manage-clients` roles. Use strict role-based access controls (RBAC) to limit high-risk permissions. Implement network segmentation to reduce the attack surface.
Impact:
High confidentiality and integrity compromise. Attackers can fully control the realm, manage all users, and access sensitive data. The privilege escalation is persistent, surviving permission revocations and system reboots.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
