CVE-2026-3190
Unauthorized Access in Keycloak UMA API Causes Information Disclosure
Publication date: 2026-03-26
Last updated on: 2026-04-02
Assigner: Red Hat, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| redhat | build_of_keycloak | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-280 | The product does not handle or incorrectly handles when it has insufficient privileges to access resources or functionality as specified by their permissions. This may cause it to follow unexpected code paths that may leave the product in an invalid state. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in Keycloak allows unauthorized enumeration of all permission tickets by any authenticated user without the required 'uma_protection' role. This leads to partial information disclosure.
Such unauthorized information disclosure could potentially impact compliance with data protection standards and regulations like GDPR and HIPAA, which require strict controls on access to sensitive information and user permissions.
However, the provided information does not explicitly detail the direct effects on compliance with these standards.
Can you explain this vulnerability to me?
CVE-2026-3190 is a vulnerability in Keycloak's User-Managed Access (UMA) 2.0 Protection API. The flaw is that the API endpoint responsible for permission tickets does not properly enforce the required "uma_protection" role check.
This means that any authenticated user who has a valid token issued for a resource server client can enumerate all permission tickets in the system, even if their token does not include the "uma_protection" role.
In essence, unauthorized users can access information about permission tickets that they should not be able to see.
How can this vulnerability impact me? :
This vulnerability can lead to information disclosure by allowing unauthorized users to enumerate all permission tickets in the Keycloak system.
An attacker with a valid authenticated token for a resource server client, but without the proper "uma_protection" role, can gain access to sensitive permission ticket data.
This could potentially expose details about resource permissions and access controls, which might be leveraged for further attacks or unauthorized access.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves unauthorized enumeration of permission tickets via the UMA 2.0 Protection API endpoint in Keycloak by any authenticated user without the required 'uma_protection' role.
To detect this vulnerability on your system, you can monitor API requests to the UMA 2.0 Protection API endpoint for permission tickets and check if users without the 'uma_protection' role are able to access or enumerate permission tickets.
Suggested commands or approaches include:
- Use Keycloak server logs to identify requests to the UMA 2.0 Protection API endpoint and verify the roles associated with the tokens used.
- Query the Keycloak audit logs or enable detailed logging to capture permission ticket enumeration attempts.
- Use API testing tools (e.g., curl or Postman) with tokens lacking the 'uma_protection' role to attempt access to the permission tickets endpoint and observe if enumeration is possible.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the UMA 2.0 Protection API endpoint to only those users or clients that have the 'uma_protection' role assigned.
Additionally, review and update Keycloak configurations and access control policies to enforce proper role checks on permission ticket endpoints.
If available, apply any patches or updates provided by Keycloak or your Linux distribution that address this vulnerability.
Monitor and audit API access logs to detect unauthorized attempts and revoke or reissue tokens that do not comply with role requirements.