CVE-2026-3911
Information Disclosure in Keycloak UserResource via Privileged Access
Publication date: 2026-03-11
Last updated on: 2026-04-02
Assigner: Red Hat, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| keycloak | keycloak | From 2026-03-11 (inc) |
| redhat | keycloak | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-359 | The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "This vulnerability exists in Keycloak's administrative endpoint UserResource. An authenticated user with the view-users role can access a specific GET endpoint that improperly discloses user attributes which are configured to be hidden or disabled."}, {'type': 'paragraph', 'content': 'Specifically, the endpoint `/admin/realms/{realm}/users/{UUID}/unmanagedAttributes` returns user attributes that should not be visible to anyone, including administrators. This means that sensitive user data that was intended to be hidden can be accessed by unauthorized users with certain roles.'}] [1]
How can this vulnerability impact me? :
The impact of this vulnerability is unauthorized disclosure of sensitive user information. An authenticated user with the view-users role can retrieve user attributes that were meant to be hidden, potentially exposing private or sensitive data.
Although the severity is considered low, this information disclosure could lead to privacy violations or misuse of user data, depending on what attributes are exposed.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking if an authenticated user with the view-users role can access the administrative endpoint that exposes disabled user attributes.'}, {'type': 'paragraph', 'content': 'Specifically, you can attempt to send a GET request to the endpoint `/admin/realms/{realm}/users/{UUID}/unmanagedAttributes` using credentials of a user with the view-users role.'}, {'type': 'paragraph', 'content': 'If the response includes user attributes that are supposed to be hidden (disabled), then the vulnerability is present.'}, {'type': 'paragraph', 'content': 'A sample command using curl might be:'}, {'type': 'list_item', 'content': 'curl -k -H "Authorization: Bearer <access_token>" https://<keycloak-server>/admin/realms/<realm>/users/<UUID>/unmanagedAttributes'}, {'type': 'paragraph', 'content': 'Replace `<access_token>` with a valid token for a user having the view-users role, `<keycloak-server>`, `<realm>`, and `<UUID>` with appropriate values.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
I don't know