CVE-2026-3911
Analyzed Analyzed - Analysis Complete
Information Disclosure in Keycloak UserResource via Privileged Access

Publication date: 2026-03-11

Last updated on: 2026-05-07

Assigner: Red Hat, Inc.

Description
A flaw was found in Keycloak. An authenticated user with the view-users role could exploit a vulnerability in the UserResource component. By accessing a specific administrative endpoint, this user could improperly retrieve user attributes that were configured to be hidden. This unauthorized information disclosure could expose sensitive user data.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-11
Last Modified
2026-05-07
Generated
2026-06-16
AI Q&A
2026-03-11
EPSS Evaluated
2026-06-15
NVD
CVE-2026-3911
EUVD
EUVD-2026-11107
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
redhat build_of_keycloak *
redhat build_of_keycloak 26.4
redhat build_of_keycloak 26.4.11
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-359 The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "This vulnerability exists in Keycloak's administrative endpoint UserResource. An authenticated user with the view-users role can access a specific GET endpoint that improperly discloses user attributes which are configured to be hidden or disabled."}, {'type': 'paragraph', 'content': 'Specifically, the endpoint `/admin/realms/{realm}/users/{UUID}/unmanagedAttributes` returns user attributes that should not be visible to anyone, including administrators. This means that sensitive user data that was intended to be hidden can be accessed by unauthorized users with certain roles.'}] [1]

Impact Analysis

The impact of this vulnerability is unauthorized disclosure of sensitive user information. An authenticated user with the view-users role can retrieve user attributes that were meant to be hidden, potentially exposing private or sensitive data.

Although the severity is considered low, this information disclosure could lead to privacy violations or misuse of user data, depending on what attributes are exposed.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking if an authenticated user with the view-users role can access the administrative endpoint that exposes disabled user attributes.'}, {'type': 'paragraph', 'content': 'Specifically, you can attempt to send a GET request to the endpoint `/admin/realms/{realm}/users/{UUID}/unmanagedAttributes` using credentials of a user with the view-users role.'}, {'type': 'paragraph', 'content': 'If the response includes user attributes that are supposed to be hidden (disabled), then the vulnerability is present.'}, {'type': 'paragraph', 'content': 'A sample command using curl might be:'}, {'type': 'list_item', 'content': 'curl -k -H "Authorization: Bearer <access_token>" https://<keycloak-server>/admin/realms/<realm>/users/<UUID>/unmanagedAttributes'}, {'type': 'paragraph', 'content': 'Replace `<access_token>` with a valid token for a user having the view-users role, `<keycloak-server>`, `<realm>`, and `<UUID>` with appropriate values.'}] [1]

Mitigation Strategies

I don't know

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-3911. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart