Description
A flaw was found in Keycloak. The User-Managed Access (UMA) 2.0 Protection API endpoint for permission tickets fails to enforce the `uma_protection` role check. This allows any authenticated user with a token issued for a resource server client, even without the `uma_protection` role, to enumerate all permission tickets in the system. This vulnerability partial leads to information disclosure.
Published: 2026-03-26
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure via role enforcement bypass
Action: Patch
AI Analysis

Impact

The vulnerability resides in the UMA 2.0 Protection API endpoint for permission tickets, which fails to verify that a requesting user has the required "uma_protection" role. As a result, any authenticated user who possesses a token issued for a resource server client—regardless of whether they hold the role—can query and enumerate all permission tickets in the system. The attack does not grant code execution or elevated privileges, but it does expose potentially sensitive authorization data, leading to a partial information disclosure. The weakness is a failure in authenticating permitted actions, reflected by CWE‑280.

Affected Systems

This flaw affects Red Hat Build of Keycloak version 26.4 and sub‑release 26.4.11 running on Red Hat Enterprise Linux 9. No other Keycloak releases or vendors are listed as impacted in the CNA data.

Risk and Exploitability

The CVSS score is 4.3, indicating a medium severity and competitive impact. The EPSS value is below 1%, denoting a very low likelihood of exploitation in the wild. The vulnerability is not present in the CISA KEV catalog. Attackers would need to authenticate with a valid token issued for a resource server client; no additional privileges or pre‑conditions are required beyond standard authentication. Because the exploit only reveals data, the risk to confidentiality is moderate but the overall impact is reduced by the low exploitation probability.

Generated by OpenCVE AI on April 15, 2026 at 19:43 UTC.

Remediation

Vendor Workaround

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

OpenCVE Recommended Actions

  • Apply the Red Hat Security Advisory RHSA‑2026:6477 or RHSA‑2026:6478, which contain the Keycloak patch that restores proper role enforcement in the UMA protection API.
  • Configure resource‑server clients so that only those that legitimately need permission‑ticket access are issued tokens, thereby limiting the number of accounts that could attempt enumeration.
  • Enable and review server access logs for unusual permission ticket enumeration patterns to detect any attempts to exploit this weakness.

Generated by OpenCVE AI on April 15, 2026 at 19:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-q35r-vvhv-vx5h Keycloak: Missing Role Enforcement on UMA 2.0 Permission Ticket Endpoint Leads to Information Disclosure
History

Thu, 02 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:build_keycloak: cpe:/a:redhat:build_keycloak:26.4::el9
References

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Redhat build Of Keycloak
CPEs cpe:2.3:a:redhat:build_of_keycloak:-:*:*:*:-:*:*:*
Vendors & Products Redhat build Of Keycloak

Fri, 27 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Description No description is available for this CVE. A flaw was found in Keycloak. The User-Managed Access (UMA) 2.0 Protection API endpoint for permission tickets fails to enforce the `uma_protection` role check. This allows any authenticated user with a token issued for a resource server client, even without the `uma_protection` role, to enumerate all permission tickets in the system. This vulnerability partial leads to information disclosure.
Title keycloak: Keycloak: Information Disclosure via improper role enforcement in UMA 2.0 Protection API Keycloak: keycloak: information disclosure via improper role enforcement in uma 2.0 protection api
First Time appeared Redhat
Redhat build Keycloak
CPEs cpe:/a:redhat:build_keycloak:
Vendors & Products Redhat
Redhat build Keycloak
References

Thu, 26 Feb 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Keycloak
Keycloak keycloak
Vendors & Products Keycloak
Keycloak keycloak

Wed, 25 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
Description No description is available for this CVE.
Title keycloak: Keycloak: Information Disclosure via improper role enforcement in UMA 2.0 Protection API
Weaknesses CWE-280
References
Metrics threat_severity

None

 cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

threat_severity

Moderate

Subscriptions

Keycloak Keycloak
Redhat Build Keycloak Build Of Keycloak
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-04-02T16:39:39.516Z

Reserved: 2026-02-25T08:35:07.988Z

Link: CVE-2026-3190

cve-icon Vulnrichment

Updated: 2026-03-27T13:46:26.526Z

cve-icon NVD

Status : Modified

Published: 2026-03-26T19:17:06.413

Modified: 2026-04-02T14:16:31.917

Link: CVE-2026-3190

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-02-25T07:07:00Z

Links: CVE-2026-3190 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T19:45:12Z

Weaknesses