Back to CVE List

CVE-2026-37981

MEDIUM SEVERITY

CVSS Score & Metrics

Base Score
4.3 / 10
Vector String
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Vulnerability Description

A flaw was found in Keycloak. A broken access control vulnerability in the Account Resources user lookup endpoint allows a remote authenticated user, who owns at least one User-Managed Access (UMA) resource, to enumerate and harvest personally identifiable information (PII) for all realm users. By sending crafted requests with arbitrary usernames or email values, the endpoint returns full profile objects for unrelated users. This leads to broad profile-level information disclosure.

Vulnerability Details

Published Date
Last Modified
CWE ID
CWE-1220
Source
NVD
Vendor
Red Hat
Product
Red Hat Build of Keycloak

External References

Discussion (0)

Add Comment

No comments yet. Be the first!