Keycloak: Information Disclosure via evaluate-scopes Admin API

GHSA-rrv7-3mqf-hxfr · CVE-2026-37978

Published May 19, 2026 · Modified Jun 4, 2026

Description

A flaw was found in Keycloak. A low-privilege administrator with the 'view-clients' role can exploit this by invoking the 'evaluate-scopes' Admin API endpoints with an arbitrary user ID (userId) parameter. This vulnerability allows for cross-role personally identifiable information (PII) leakage, enabling unauthorized visibility into user identities and authorizations across the realm. Exploitation is possible remotely via network access to the Admin API.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-37978
WEB https://github.com/keycloak/keycloak/commit/492d1f04cdad425dadb9d5e1faa94dd17a875573
WEB https://github.com/keycloak/keycloak/commit/ba9a18744dcec2ef46f284d25c1c0aa1c962a500
WEB https://access.redhat.com/errata/RHSA-2026:19596
WEB https://access.redhat.com/errata/RHSA-2026:19597
WEB https://access.redhat.com/security/cve/CVE-2026-37978
WEB https://bugzilla.redhat.com/show_bug.cgi?id=2455327
PACKAGE https://github.com/keycloak/keycloak

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes