Description
A flaw was found in Keycloak. An authenticated user with the view-users role could exploit a vulnerability in the UserResource component. By accessing a specific administrative endpoint, this user could improperly retrieve user attributes that were configured to be hidden. This unauthorized information disclosure could expose sensitive user data.
Published: 2026-03-11
Score: 2.7 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in Keycloak’s UserResource component allows an authenticated user who holds the view-users role to access an administrative endpoint and retrieve user attributes that should be hidden, resulting in the unauthorized disclosure of sensitive data. The vulnerability stems from improper handling of hidden attributes and manifests as an information exposure flaw. It does not compromise system integrity or availability, but the breach can expose personally identifiable information or other confidential user data.

Affected Systems

The issue affects Red Hat’s build of Keycloak 26.4 and the 26.4.11 sub‑release running on Enterprise Linux 9. Users of these versions who have been granted the view-users role are potentially exposed to the disclosure of hidden attributes.

Risk and Exploitability

The CVSS score of 2.7 indicates a low overall severity, and the EPSS score of less than 1 % suggests that exploitation is unlikely in the wild. The flaw is not listed in the CISA KEV catalog, and because an attacker must be authenticated and possess the view-users role, the attack vector is internal credential‑based. While it does not lead to code execution or denial of service, the breached confidentiality could impact many users if the system stores sensitive attributes that are meant to remain hidden.

Generated by OpenCVE AI on May 7, 2026 at 20:30 UTC.

Remediation

Vendor Workaround

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.

OpenCVE Recommended Actions

  • Apply the Red Hat security errata RHSA-2026:6477 or RHSA-2026:6478 to upgrade Keycloak to a patched release.
  • Restrict or remove the view-users role from accounts that do not require visibility of hidden attributes.
  • Implement monitoring of administrative endpoint activity to detect potential unauthorized access to hidden attributes.

Generated by OpenCVE AI on May 7, 2026 at 20:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-xh32-c9wx-phrp Keycloak: Information disclosure of disabled user attributes via administrative endpoint
History

Thu, 07 May 2026 18:45:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:redhat:build_of_keycloak:-:*:*:*:text-only:*:*:*
cpe:2.3:a:redhat:build_of_keycloak:26.4.11:*:*:*:*:*:*:*
cpe:2.3:a:redhat:build_of_keycloak:26.4:*:*:*:*:*:*:*

Thu, 02 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:build_keycloak: cpe:/a:redhat:build_keycloak:26.4::el9
References

Fri, 13 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Low

Thu, 12 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Redhat build Of Keycloak
Vendors & Products Redhat build Of Keycloak

Wed, 11 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 11 Mar 2026 06:00:00 +0000

Type Values Removed Values Added
Description A flaw was found in Keycloak. An authenticated user with the view-users role could exploit a vulnerability in the UserResource component. By accessing a specific administrative endpoint, this user could improperly retrieve user attributes that were configured to be hidden. This unauthorized information disclosure could expose sensitive user data.
Title Org.keycloak.services.resources.admin.userresource: keycloak: information disclosure of disabled user attributes via administrative endpoint
First Time appeared Redhat
Redhat build Keycloak
Weaknesses CWE-359
CPEs cpe:/a:redhat:build_keycloak:
Vendors & Products Redhat
Redhat build Keycloak
References
Metrics cvssV3_1

{'score': 2.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Redhat Build Keycloak Build Of Keycloak
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-04-02T16:47:22.731Z

Reserved: 2026-03-11T03:32:12.979Z

Link: CVE-2026-3911

cve-icon Vulnrichment

Updated: 2026-03-11T14:04:02.463Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-11T06:17:15.377

Modified: 2026-05-07T18:30:50.623

Link: CVE-2026-3911

cve-icon Redhat

Severity : Low

Publid Date: 2026-03-11T03:30:00Z

Links: CVE-2026-3911 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T20:45:22Z

Weaknesses