CVE-2026-37981
Keycloak Account Resources PII Disclosure Vulnerability
Publication date: 2026-05-19
Last updated on: 2026-05-20
Assigner: Red Hat, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| redhat | keycloak | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1220 | The product implements access controls via a policy or other feature with the intention to disable or restrict accesses (reads and/or writes) to assets in a system from untrusted agents. However, implemented access controls lack required granularity, which renders the control policy too broad because it allows accesses from unauthorized agents to the security-sensitive assets. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a broken access control flaw in Keycloak's Account Resources user lookup endpoint. It allows a remote authenticated user, who owns at least one User-Managed Access (UMA) resource, to send specially crafted requests with arbitrary usernames or email values. As a result, the endpoint returns full profile objects for unrelated users, enabling the attacker to enumerate and harvest personally identifiable information (PII) of all users within the realm.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows a remote authenticated user to enumerate and harvest personally identifiable information (PII) of all realm users due to broken access control in the user lookup endpoint.
Such unauthorized disclosure of PII can lead to non-compliance with data protection regulations and standards like GDPR and HIPAA, which require strict controls over access to personal data and mandate protection against unauthorized disclosure.
Therefore, exploitation of this flaw could result in violations of these regulations, potentially leading to legal and financial consequences for affected organizations.
How can this vulnerability impact me? :
The vulnerability can lead to broad disclosure of profile-level information, including personally identifiable information (PII), to unauthorized users. This means that an attacker with valid authentication and at least one UMA resource can access sensitive user data of other users without permission, potentially leading to privacy breaches and misuse of personal information.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring and analyzing requests to the Account Resources user lookup endpoint in Keycloak. Specifically, look for unusual or crafted requests that include arbitrary usernames or email values attempting to retrieve profile information of unrelated users.
Commands or methods to detect this may include capturing HTTP traffic to the user lookup endpoint and inspecting for suspicious query parameters or payloads that attempt to enumerate user profiles.
- Use network traffic analysis tools like tcpdump or Wireshark to capture requests to the Keycloak user lookup endpoint.
- Use curl or similar HTTP clients to test the endpoint with arbitrary usernames or email values to verify if profile information is returned improperly.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the Account Resources user lookup endpoint to only authorized users and reviewing user permissions related to User-Managed Access (UMA) resources.
Applying any available patches or updates from Keycloak or your vendor that address this broken access control vulnerability is critical.
- Limit or disable the ability for users owning UMA resources to perform user lookups until a fix is applied.
- Monitor logs for suspicious access patterns to the user lookup endpoint.