2455326 – (CVE-2026-37981) CVE-2026-37981 keycloak: org.keycloak.authorization: Keycloak: Information disclosure via broken access control in user lookup endpoint

Bug 2455326 (CVE-2026-37981) - CVE-2026-37981 keycloak: org.keycloak.authorization: Keycloak: Information disclosure via broken access control in user lookup endpoint

Summary: CVE-2026-37981 keycloak: org.keycloak.authorization: Keycloak: Information di...

Keywords:
Status:	NEW
Alias:	CVE-2026-37981
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2026-04-06 07:53 UTC by OSIDB Bzimport
Modified:	2026-05-19 10:20 UTC (History)
CC List:	11 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-04-06 07:53:43 UTC

Broken Access Control vulnerability in Keycloak’s Account Resources user lookup endpoint. The flaw is caused by validating only that the UMA resource ID belongs to the caller, without enforcing any relationship between that resource and the user being queried. When a crafted request is sent with arbitrary usernames or email values, the endpoint returns full profile objects (ID, username, name, email, status) for unrelated users. This can be exploited remotely by any authenticated user who owns at least one UMA-managed resource. Attackers can systematically enumerate and harvest PII for all realm users, leading to broad profile-level information disclosure.

Note You need to log in before you can comment on or make changes to this bug.