CVE-2026-37981 - Vulnerability Details

- Keycloak: org.keycloak.authorization: keycloak: information disclosure via broken access control in user lookup endpoint

Description

A flaw was found in Keycloak. A broken access control vulnerability in the Account Resources user lookup endpoint allows a remote authenticated user, who owns at least one User-Managed Access (UMA) resource, to enumerate and harvest personally identifiable information (PII) for all realm users. By sending crafted requests with arbitrary usernames or email values, the endpoint returns full profile objects for unrelated users. This leads to broad profile-level information disclosure.

Published: 2026-05-19

Score: 4.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A broken access‑control flaw in the Keycloak Account Resources user‑lookup endpoint allows a remote authenticated user who possesses at least one UMA resource to enumerate and acquire personally identifiable information for every user in the realm. By sending crafted requests that include arbitrary usernames or e‑mail addresses, the endpoint returns full profile objects for users that the attacker does not own, leading to the disclosure of broad profile‑level information.

Affected Systems

The vulnerability affects Red Hat Build of Keycloak; specific version information is not supplied in the advisory, so any deployment of this build that has not yet been patched may be vulnerable.

Risk and Exploitability

The CVSS score of 4.3 indicates medium impact, but the lack of an EPSS score and absence from the KEV catalog suggest low exploitation probability at present. The attack requires remote authenticated access plus the creation of at least one UMA resource, so an attacker must first be authenticated and have associated resources before the flaw can be exploitably used.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor	Product	Default status	Versions
Red Hat	Red Hat Build of Keycloak	affected	—

No data.

No data available yet.

Remediation

Vendor Workaround

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.

OpenCVE Recommended Actions

Check for and apply any Red Hat update that includes a fix for the broken access control flaw in Keycloak's user‑lookup endpoint
If an update is not yet available, restrict or eliminate unnecessary User‑Managed Access resources to limit the potential for enumeration
Configure an alert or log‑monitoring rule to detect anomalous user‑lookup activity, such as repeated lookups for unrelated usernames or e‑mail addresses
No workaround is currently available that satisfies Red Hat's criteria; rely on applying the vendor patch when released

Generated by OpenCVE AI on May 19, 2026 at 12:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00034.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://access.redhat.com/security/cve/CVE-2026-37981
https://bugzilla.redhat.com/show_bug.cgi?id=2455326
https://nvd.nist.gov/vuln/detail/CVE-2026-37981
https://www.cve.org/CVERecord?id=CVE-2026-37981

History

Tue, 19 May 2026 12:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 19 May 2026 12:15:00 +0000

Type	Values Removed	Values Added
References		https://nvd.nist.gov/vuln/detail/CVE-2026-37981 https://www.cve.org/CVERecord?id=CVE-2026-37981
Metrics	threat_severity `None`	threat_severity `Moderate`

Tue, 19 May 2026 11:30:00 +0000

Type	Values Removed	Values Added
Description		A flaw was found in Keycloak. A broken access control vulnerability in the Account Resources user lookup endpoint allows a remote authenticated user, who owns at least one User-Managed Access (UMA) resource, to enumerate and harvest personally identifiable information (PII) for all realm users. By sending crafted requests with arbitrary usernames or email values, the endpoint returns full profile objects for unrelated users. This leads to broad profile-level information disclosure.
Title		Keycloak: org.keycloak.authorization: keycloak: information disclosure via broken access control in user lookup endpoint
First Time appeared		Redhat Redhat build Keycloak
Weaknesses		CWE-1220
CPEs		cpe:/a:redhat:build_keycloak:
Vendors & Products		Redhat Redhat build Keycloak
References		https://access.redhat.com/security/cve/CVE-2026-37981 https://bugzilla.redhat.com/show_bug.cgi?id=2455326
Metrics		cvssV3_1 `{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}`

Subscriptions

Redhat Build Keycloak

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2026-05-19T10:28:24.207Z

Updated: 2026-05-19T12:06:13.589Z

Reserved: 2026-04-06T07:48:39.722Z

Link: CVE-2026-37981

Vulnrichment

Updated: 2026-05-19T12:06:10.279Z

NVD

Status : Received

Published: 2026-05-19T12:16:18.463

Modified: 2026-05-19T12:16:18.463

Link: CVE-2026-37981

Redhat

Severity : Moderate

Publid Date: 2026-05-19T10:19:46Z

Links: CVE-2026-37981 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-19T13:00:06Z

Weaknesses

CWE-1220

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object