Keycloak: org.keycloak.authorization: keycloak: information disclosure via broken access control in...

4.3 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Description

A flaw was found in Keycloak. A broken access control vulnerability in the Account Resources user lookup endpoint allows a remote authenticated user, who owns at least one User-Managed Access (UMA) resource, to enumerate and harvest personally identifiable information (PII) for all realm users. By sending crafted requests with arbitrary usernames or email values, the endpoint returns full profile objects for unrelated users. This leads to broad profile-level information disclosure.

Basic Information

ID CVE-2026-37981

Source redhat

Published May 19, 2026 at 10:28

Modified May 19, 2026 at 12:06

Affected Product

Vendor Red Hat

Product Red Hat Build of Keycloak

CWE Classification

CWE-1220

References

{
    "lastseen": "",
    "description": "A flaw was found in Keycloak. A broken access control vulnerability in the Account Resources user lookup endpoint allows a remote authenticated user, who owns at least one User-Managed Access (UMA) resource, to enumerate and harvest personally identifiable information (PII) for all realm users. By sending crafted requests with arbitrary usernames or email values, the endpoint returns full profile objects for unrelated users. This leads to broad profile-level information disclosure.",
    "published": "2026-05-19T10:28:24.207Z",
    "modified": "2026-05-19T12:06:13.589Z",
    "type": "cve",
    "title": "Keycloak: org.keycloak.authorization: keycloak: information disclosure via broken access control in user lookup endpoint",
    "source": "redhat",
    "references": "https://access.redhat.com/security/cve/CVE-2026-37981\nhttps://bugzilla.redhat.com/show_bug.cgi?id=2455326",
    "id": "CVE-2026-37981",
    "bulletinFamily": "",
    "cwe": [
        "CWE-1220"
    ],
    "cvelist": null,
    "sourceData": "",
    "sourceHref": "",
    "cvss": {
        "score": 4.3,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Red Hat Build of Keycloak",
    "version": "",
    "vendor": "Red Hat",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Keycloak: org.keycloak.authorization: keycloak: information disclosure via broken access control in user lookup endpoint_CVE-2026-37981