Keycloak: Missing Role Enforcement on UMA 2.0 Permission Ticket Endpoint Leads to Information Disclosure

GHSA-q35r-vvhv-vx5h · CVE-2026-3190

Published Mar 26, 2026 · Modified Apr 2, 2026

Description

A flaw was found in Keycloak. The User-Managed Access (UMA) 2.0 Protection API endpoint for permission tickets fails to enforce the uma_protection role check. This allows any authenticated user with a token issued for a resource server client, even without the uma_protection role, to enumerate all permission tickets in the system. This vulnerability partial leads to information disclosure.

References

4.3 / 10

MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Affected Packages

Maven/org.keycloak:keycloak-model-jpa

Fix 26.5.6

Introduced 0

222 affected versions

1.0-alpha-11.0-alpha-1-120620131.0-alpha-21.0-alpha-31.0-alpha-41.0-beta-11.0-beta-1-201505211.0-beta-1-201505231.0-beta-21.0-beta-31.0-beta-41.0-final1.0-rc-11.0-rc-21.0.1.Final1.0.2.Final1.0.3.Final1.0.4.Final1.0.5.Final1.1.0.Beta1 +202 more

Maven/org.keycloak:keycloak-server-spi-private

Fix 26.5.6

Introduced 0

162 affected versions

10.0.010.0.110.0.211.0.011.0.111.0.211.0.312.0.012.0.112.0.212.0.312.0.413.0.013.0.114.0.015.0.015.0.115.0.215.1.015.1.1 +142 more

Maven/org.keycloak:keycloak-services

Fix 26.5.6

Introduced 0

222 affected versions

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes