Keycloak has a Time-of-check Time-of-use (TOCTOU) Race Condition
Moderate severity
GitHub Reviewed
Published
May 28, 2026
to the GitHub Advisory Database
•
Updated Jul 1, 2026
Description
Published by the National Vulnerability Database
May 28, 2026
Published to the GitHub Advisory Database
May 28, 2026
Reviewed
Jul 1, 2026
Last updated
Jul 1, 2026
A flaw was found in Keycloak. An authenticated administrator with the
manage-clientsrole can exploit a Time-of-check to time-of-use (TOCTOU) vulnerability in the name-based admin role checks. This allows the attacker to escalate their privileges torealm-adminfor all users within the realm, granting them extensive control over the system. The composite role relationship persists even after the attacker's own permissions are revoked and across system reboots.References