CVE-2026-37978 - Vulnerability Details

- Keycloak: org.keycloak.services: keycloak: information disclosure via evaluate-scopes admin api

Description

A flaw was found in Keycloak. A low-privilege administrator with the 'view-clients' role can exploit this by invoking the 'evaluate-scopes' Admin API endpoints with an arbitrary user ID (userId) parameter. This vulnerability allows for cross-role personally identifiable information (PII) leakage, enabling unauthorized visibility into user identities and authorizations across the realm. Exploitation is possible remotely via network access to the Admin API.

Published: 2026-05-19

Score: 4.9 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A low‑privilege administrator possessing the view‑clients role can invoke Keycloak’s evaluate‑scopes Admin API with an arbitrary user ID. This flaw leaks personally identifiable information and authorization data from other realms or users, allowing an attacker to view identities beyond their own. The weakness is categorized as an authorization bypass (CWE‑639).

Affected Systems

The vulnerability affects Red Hat Build of Keycloak. No specific version ranges are listed; the flaw applies to any installation that has the evaluate‑scopes endpoint exposed to administrators with view‑clients privileges.

Risk and Exploitability

The CVSS score of 4.9 indicates low severity. EPSS data is unavailable, and the vulnerability is not listed in the CISA KEV catalog, suggesting a low likelihood of widespread exploitation. The attack vector, as described, is remote: an attacker must be able to reach the Admin API over the network. No vendor patch or known workaround exists, so the risk remains contingent on how broadly the API is exposed and how many administrators possess the view‑clients role.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor	Product	Default status	Versions
Red Hat	Red Hat Build of Keycloak	affected	—

No data.

No data available yet.

Remediation

Vendor Workaround

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.

OpenCVE Recommended Actions

Limit the view‑clients role to trusted, high‑privilege administrators and review the current role assignments.
Restrict network access to the Admin API using firewalls or service‑mesh policies so only approved hosts can call the evaluate‑scopes endpoint.
Monitor audit logs for evaluate‑scopes requests and any anomalous user‑ID parameters, and investigate any suspicious activity promptly.

Generated by OpenCVE AI on May 19, 2026 at 12:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00026.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://access.redhat.com/security/cve/CVE-2026-37978
https://bugzilla.redhat.com/show_bug.cgi?id=2455327
https://nvd.nist.gov/vuln/detail/CVE-2026-37978
https://www.cve.org/CVERecord?id=CVE-2026-37978

History

Tue, 19 May 2026 13:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 19 May 2026 12:15:00 +0000

Type	Values Removed	Values Added
References		https://nvd.nist.gov/vuln/detail/CVE-2026-37978 https://www.cve.org/CVERecord?id=CVE-2026-37978
Metrics	threat_severity `None`	threat_severity `Moderate`

Tue, 19 May 2026 11:30:00 +0000

Type	Values Removed	Values Added
Description		A flaw was found in Keycloak. A low-privilege administrator with the 'view-clients' role can exploit this by invoking the 'evaluate-scopes' Admin API endpoints with an arbitrary user ID (userId) parameter. This vulnerability allows for cross-role personally identifiable information (PII) leakage, enabling unauthorized visibility into user identities and authorizations across the realm. Exploitation is possible remotely via network access to the Admin API.
Title		Keycloak: org.keycloak.services: keycloak: information disclosure via evaluate-scopes admin api
First Time appeared		Redhat Redhat build Keycloak
Weaknesses		CWE-639
CPEs		cpe:/a:redhat:build_keycloak:
Vendors & Products		Redhat Redhat build Keycloak
References		https://access.redhat.com/security/cve/CVE-2026-37978 https://bugzilla.redhat.com/show_bug.cgi?id=2455327
Metrics		cvssV3_1 `{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N'}`

Subscriptions

Redhat Build Keycloak

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2026-05-19T10:52:29.997Z

Updated: 2026-05-19T12:23:35.694Z

Reserved: 2026-04-06T07:48:39.721Z

Link: CVE-2026-37978

Vulnrichment

Updated: 2026-05-19T12:23:32.689Z

NVD

Status : Awaiting Analysis

Published: 2026-05-19T12:16:17.540

Modified: 2026-05-19T14:25:40.320

Link: CVE-2026-37978

Redhat

Severity : Moderate

Publid Date: 2026-05-19T10:43:47Z

Links: CVE-2026-37978 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-19T12:30:05Z

Weaknesses

CWE-639

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object