What is CVE-2026-2366?

CVE-2026-2366 is a low-severity vulnerability in Red Hat Build Of Keycloak 26.4, classified under Authorization Bypass Through User-Controlled Key. CVSS score: 3.1/10. Published 2026-03-12.

How severe is CVE-2026-2366?

Low severity. CVSS v3 base score is 3.1 out of 10.

Auth bypass in Red Hat Build Of Keycloak 26.4

CVE-2026-2366

A flaw was found in Keycloak. An authorization bypass vulnerability in the Keycloak Admin API allows any authenticated user, even those without administrative privileges, to enumerate the organization memberships of other users. This infor…

Vulnerability class: IDOR (Insecure Direct Object Reference)

EPSS: 0.000 (2.0th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 3.1 (Low). Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N.

Affected products

Red Hat Build Of Keycloak 26.4 — versions 26.4.11-1, 26.4-14
Red Hat Build Of Keycloak 26.4.11

Weakness classification (CWE)

CWE-639 — Authorization Bypass Through User-Controlled Key

References

RHSA-2026:6477 (vendor-advisory, x_refsource_REDHAT)
RHSA-2026:6478 (vendor-advisory, x_refsource_REDHAT)
access.redhat.com/security/cve/CVE-2026-2366 (vdb-entry, x_refsource_REDHAT)
RHBZ#2439081 (issue-tracking, x_refsource_REDHAT)

Frequently asked questions

What is CVE-2026-2366?: CVE-2026-2366 is a low-severity vulnerability in Red Hat Build Of Keycloak 26.4, classified under Authorization Bypass Through User-Controlled Key. CVSS score: 3.1/10. Published 2026-03-12.
How severe is CVE-2026-2366?: Low severity. CVSS v3 base score is 3.1 out of 10.