Keycloak: org.keycloak.services: keycloak: information disclosure via evaluate-scopes admin api

4.9 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Description

A flaw was found in Keycloak. A low-privilege administrator with the 'view-clients' role can exploit this by invoking the 'evaluate-scopes' Admin API endpoints with an arbitrary user ID (userId) parameter. This vulnerability allows for cross-role personally identifiable information (PII) leakage, enabling unauthorized visibility into user identities and authorizations across the realm. Exploitation is possible remotely via network access to the Admin API.

Basic Information

ID CVE-2026-37978

Source redhat

Published May 19, 2026 at 10:52

Affected Product

Vendor Red Hat

Product Red Hat Build of Keycloak

CWE Classification

CWE-639

References

{
    "lastseen": "",
    "description": "A flaw was found in Keycloak. A low-privilege administrator with the 'view-clients' role can exploit this by invoking the 'evaluate-scopes' Admin API endpoints with an arbitrary user ID (userId) parameter. This vulnerability allows for cross-role personally identifiable information (PII) leakage, enabling unauthorized visibility into user identities and authorizations across the realm. Exploitation is possible remotely via network access to the Admin API.",
    "published": "2026-05-19T10:52:29.997Z",
    "modified": "2026-05-19T10:52:29.997Z",
    "type": "cve",
    "title": "Keycloak: org.keycloak.services: keycloak: information disclosure via evaluate-scopes admin api",
    "source": "redhat",
    "references": "https://access.redhat.com/security/cve/CVE-2026-37978\nhttps://bugzilla.redhat.com/show_bug.cgi?id=2455327",
    "id": "CVE-2026-37978",
    "bulletinFamily": "",
    "cwe": [
        "CWE-639"
    ],
    "cvelist": null,
    "sourceData": "",
    "sourceHref": "",
    "cvss": {
        "score": 4.9,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Red Hat Build of Keycloak",
    "version": "",
    "vendor": "Red Hat",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Keycloak: org.keycloak.services: keycloak: information disclosure via evaluate-scopes admin api_CVE-2026-37978