Home

Description

A flaw was found in Keycloak. A low-privilege administrator with the 'view-clients' role can exploit this by invoking the 'evaluate-scopes' Admin API endpoints with an arbitrary user ID (userId) parameter. This vulnerability allows for cross-role personally identifiable information (PII) leakage, enabling unauthorized visibility into user identities and authorizations across the realm. Exploitation is possible remotely via network access to the Admin API.

PUBLISHED Reserved 2026-04-06 | Published 2026-05-19 | Updated 2026-05-20 | Assigner redhat




MEDIUM: 4.9CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Problem types

Authorization Bypass Through User-Controlled Key

Product status

Default status
affected

26.4.12-1 (rpm) before *
unaffected

Default status
affected

26.4-17 (rpm) before *
unaffected

Default status
affected

26.4-17 (rpm) before *
unaffected

Default status
unaffected

Timeline

2026-04-06:Reported to Red Hat.
2026-05-19:Made public.

References

access.redhat.com/errata/RHSA-2026:19596 (RHSA-2026:19596) vendor-advisory

access.redhat.com/errata/RHSA-2026:19597 (RHSA-2026:19597) vendor-advisory

access.redhat.com/security/cve/CVE-2026-37978 vdb-entry

bugzilla.redhat.com/show_bug.cgi?id=2455327 (RHBZ#2455327) issue-tracking

cve.org (CVE-2026-37978)

nvd.nist.gov (CVE-2026-37978)

Download JSON