New: Corgea AI Pentesting — autonomous penetration testing in hours, not weeks
MEDIUM 4.3 Maven

Keycloak Account Resources user lookup contains broken access control

GHSA-933f-rg6j-f46p · CVE-2026-37981

Published · Modified

Description

Keycloak's Account Resources user lookup endpoint allows a remote authenticated user, who owns at least one User-Managed Access (UMA) resource, to enumerate and harvest personally identifiable information (PII) for all realm users. By sending crafted requests with arbitrary usernames or email values, the endpoint returns full profile objects for unrelated users. This leads to broad profile-level information disclosure.

Ready to move

Start Securing

Free, no credit card | First findings in minutes