CVE-2026-9083

MEDIUM 4.9

Keycloak: keycloak: information disclosure through arbitrary filesystem path probing

CVSS Score

4.9

EPSS Score

0.0%

EPSS Percentile

0th

A flaw was found in Keycloak. A realm administrator with the "manage-realm" role can exploit this vulnerability by submitting an arbitrary filesystem path as a keystore parameter when creating a key provider component. This allows the administrator to probe arbitrary filesystem paths, determining which files exist and are readable by the Keycloak process. This information disclosure could be used to identify high-value targets for follow-on attacks.

CWE	CWE-22
Vendor	red hat
Product	red hat build of keycloak 26.6
Published	Jun 25, 2026
Last Updated	Jun 25, 2026

Stay Ahead of the Next One

Get instant alerts for red hat red hat build of keycloak 26.6

Be the first to know when new medium vulnerabilities affecting red hat red hat build of keycloak 26.6 are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Affected Versions

Red Hat / Red Hat build of Keycloak 26.6

All versions affected

Red Hat / Red Hat build of Keycloak 26.6

All versions affected

Red Hat / Red Hat build of Keycloak 26.6

All versions affected

Red Hat / Red Hat build of Keycloak 26.6.4

All versions affected

References

NVD ↗ CVE.org ↗ EPSS Data ↗

access.redhat.com: https://access.redhat.com/errata/RHSA-2026:30083 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:30084 access.redhat.com: https://access.redhat.com/security/cve/CVE-2026-9083 bugzilla.redhat.com: https://bugzilla.redhat.com/show_bug.cgi?id=2480168

Credits

Red Hat would like to thank Swapnil Paliwal & Security Team (AxiomCode) for reporting this issue.