Broken Access Control Vulnerability in Keycloak by Red Hat
CVE-2026-37981

4.3MEDIUM

Key Information:

Vendor

Red Hat
Status
Red Hat Build Of Keycloak 26.4
Red Hat Build Of Keycloak 26.4.12
Vendor
CVE Published:
19 May 2026

What is CVE-2026-37981?

A vulnerability in Keycloak has been identified that allows an authenticated user with User-Managed Access (UMA) resources to exploit the Account Resources user lookup endpoint. By manipulating requests with arbitrary usernames or email addresses, the vulnerability enables the remote user to enumerate and obtain personal identifiable information (PII) related to all users within the realm. This flaw results in unauthorized access to sensitive profile information, leading to significant data privacy concerns.

Affected Version(s)

Red Hat build of Keycloak 26.4 26.4.12-1

Red Hat build of Keycloak 26.4 26.4-17

Red Hat build of Keycloak 26.4 26.4-17

References

https://access.redhat.com/errata/RHSA-2026:19596
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:19597
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/security/cve/CVE-2026-37981
vdb-entryx_refsource_REDHAT

CVSS V3.1

Score:
4.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Red Hat would like to thank XavLimSG for reporting this issue.
.