Cross-role Information Exposure in Keycloak by Red Hat
CVE-2026-37978

4.9MEDIUM

Key Information:

Vendor

Red Hat
Status
Red Hat Build Of Keycloak 26.4
Red Hat Build Of Keycloak 26.4.12
Vendor
CVE Published:
19 May 2026

What is CVE-2026-37978?

A security flaw exists in Keycloak that allows low-privilege administrators holding the 'view-clients' role to exploit the Admin API. By invoking the 'evaluate-scopes' endpoint with arbitrary user ID parameters, such administrators can inadvertently leak personally identifiable information (PII) across roles. This unintended information exposure permits unauthorized visibility into user identities and their associated permissions, posing a significant risk to user privacy. The flaw can be remotely exploited with network access to the Admin API, making it essential for organizations to address this vulnerability urgently.

Affected Version(s)

Red Hat build of Keycloak 26.4 26.4.12-1

Red Hat build of Keycloak 26.4 26.4-17

Red Hat build of Keycloak 26.4 26.4-17

References

https://access.redhat.com/errata/RHSA-2026:19596
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:19597
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/security/cve/CVE-2026-37978
vdb-entryx_refsource_REDHAT

CVSS V3.1

Score:
4.9
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.