2455327 – (CVE-2026-37978) CVE-2026-37978 keycloak: org.keycloak.services: Keycloak: Information Disclosure via evaluate-scopes Admin API

Bug 2455327 (CVE-2026-37978) - CVE-2026-37978 keycloak: org.keycloak.services: Keycloak: Information Disclosure via evaluate-scopes Admin API

Summary: CVE-2026-37978 keycloak: org.keycloak.services: Keycloak: Information Disclos...

Keywords:
Status:	NEW
Alias:	CVE-2026-37978
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2026-04-06 07:56 UTC by OSIDB Bzimport
Modified:	2026-05-19 10:44 UTC (History)
CC List:	11 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-04-06 07:56:56 UTC

Cross-role information disclosure vulnerability in Keycloak’s evaluate-scopes Admin API endpoints. The flaw is caused by accepting an arbitrary userId parameter and validating only client permissions, without calling auth.users().requireView() or equivalent user-view checks. When a low-privilege admin with only the view-clients role invokes the evaluate-scopes endpoints, Keycloak generates example tokens that contain full profile and role data for any targeted user. This can be exploited remotely by such admins using only network access to the Admin API. The result is cross-role PII leakage, allowing unauthorized visibility into user identities and authorizations across the realm.

Note You need to log in before you can comment on or make changes to this bug.