CVE-2026-37978
Keycloak PII Leakage via Admin API Scope Evaluation
Publication date: 2026-05-19
Last updated on: 2026-05-20
Assigner: Red Hat, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| redhat | keycloak | to 2026-37978 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized disclosure of sensitive user information, specifically personally identifiable information (PII).
An attacker with limited privileges could gain visibility into user identities and their permissions, which could be used for further attacks or unauthorized access.
Since the vulnerability can be exploited remotely, it increases the risk of data leakage without physical access.
Can you explain this vulnerability to me?
This vulnerability exists in Keycloak and involves a flaw where a low-privilege administrator who has the 'view-clients' role can exploit the 'evaluate-scopes' Admin API endpoints by providing an arbitrary user ID parameter.
By doing this, the attacker can cause cross-role leakage of personally identifiable information (PII), gaining unauthorized visibility into user identities and their authorizations within the realm.
The exploitation can be performed remotely through network access to the Admin API.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring and analyzing network traffic to the Keycloak Admin API endpoints, specifically looking for calls to the 'evaluate-scopes' endpoint with arbitrary userId parameters.
Commands to detect potential exploitation attempts could include using network monitoring tools like tcpdump or Wireshark to filter HTTP requests to the Admin API, for example:
- tcpdump -i <interface> -A 'tcp port 8080 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep 'evaluate-scopes'
- Using curl or similar tools to manually test the Admin API endpoints with various userId parameters to check for unauthorized data disclosure.
Additionally, reviewing Keycloak server logs for unusual or unauthorized access to the 'evaluate-scopes' Admin API endpoint by low-privilege administrators can help detect exploitation.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting network access to the Keycloak Admin API to trusted administrators only.
Review and tighten the permissions assigned to low-privilege administrators, especially those with the 'view-clients' role, to prevent unauthorized use of the 'evaluate-scopes' endpoint.
Apply any available patches or updates from Keycloak or your vendor that address this vulnerability.
Monitor logs for suspicious activity related to the 'evaluate-scopes' Admin API endpoint and respond promptly to any detected exploitation attempts.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows a low-privilege administrator to gain unauthorized access to personally identifiable information (PII) by exploiting the evaluate-scopes Admin API with arbitrary user IDs. Such unauthorized visibility into user identities and authorizations can lead to cross-role PII leakage.
Because GDPR, HIPAA, and similar regulations require strict controls over access to PII and mandate protection against unauthorized disclosure, this vulnerability could result in non-compliance with these standards due to the potential exposure of sensitive user information.