Zero Day MonitorZDM

← Back to list

4.9

CVE-2026-9083EXPLOITEDPATCHED

red hat · keycloak

Keycloak: keycloak: information disclosure through arbitrary filesystem path probing

Description

A flaw was found in Keycloak. A realm administrator with the "manage-realm" role can exploit this vulnerability by submitting an arbitrary filesystem path as a keystore parameter when creating a key provider component. This allows the administrator to probe arbitrary filesystem paths, determining which files exist and are readable by the Keycloak process. This information disclosure could be used to identify high-value targets for follow-on attacks.

Affected Products

Vendor	Product	Versions
red hat	keycloak	—

Also Affects

Downstream vendors/products affected by this vulnerability

Vendor	Product	Source	Confidence
open source	open source keycloak	cert_advisory	90%

References

https://access.redhat.com/errata/RHSA-2026:30049(vendor-advisory, x_refsource_REDHAT)
https://access.redhat.com/errata/RHSA-2026:30050(vendor-advisory, x_refsource_REDHAT)
https://access.redhat.com/errata/RHSA-2026:30083(vendor-advisory, x_refsource_REDHAT)
https://access.redhat.com/errata/RHSA-2026:30084(vendor-advisory, x_refsource_REDHAT)
https://access.redhat.com/security/cve/CVE-2026-9083(vdb-entry, x_refsource_REDHAT)
https://bugzilla.redhat.com/show_bug.cgi?id=2480168(issue-tracking, x_refsource_REDHAT)

Related News (2 articles)

Tier B

BSI Advisories1d ago

[NEU] [hoch] Keycloak: Mehrere Schwachstellen

→ No new info (linked only)

Tier C

VulDB2d ago

CVE-2026-9083 | Keycloak on Red Hat Key Provider keystore path traversal

→ No new info (linked only)

CVSS 3.14.9 NONE

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

26.6.4-226.6-8

CWECWE-22

PublishedJun 25, 2026

Last enriched2d agov2

Trending Score41

Source articles2

Independent2

Info Completeness6/14

Missing: versions, cvss, epss, kev, exploit, patch, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

NONECVE-2026-9800EXP

Keycloak: keycloak policy enforcer: authorization bypass via incorrect uri comparison

NONECVE-2026-9086EXP

Keycloak: keycloak: cross-site scripting (xss) via case-insensitive uri validation bypass

CRITICALCVE-2026-12992EXP

Apicurio/apicurio-registry: apicurio-registry: ssrf via wsdl4j import dereference in wsdl full validation

HIGHCVE-2026-12993EXP

Apicurio/apicurio-registry: apicurio-registry: xml entity-expansion denial of service via internal dtd subset

NONECVE-2026-13325EXP

Virt-handler-rhel9: kubevirt: kubevirt: disabletls migration setting removes authentication, exposing unauthenticated virtqemud proxy on all interfaces

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Jun 25, 2026

Discovered by ZDM

Jun 25, 2026

Updated: description, severity, activelyExploited

Jun 25, 2026

Actively Exploited

Jun 26, 2026

Patch Available

Jun 26, 2026

Version History

v2

Last enriched 2d ago

v2Tier C2d ago

Updated severity to CRITICAL, marked as actively exploited, and provided a new description with additional details.

descriptionseverityactivelyExploited

via VulDB

v12d ago

Initial creation