Description
A flaw was found in Keycloak. An authenticated user with the view-users role could exploit a vulnerability in the UserResource component. By accessing a specific administrative endpoint, this user could improperly retrieve user attributes that were configured to be hidden. This unauthorized information disclosure could expose sensitive user data.
Published: 2026-03-11
Score: 2.7 Low
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Patch Immediately
AI Analysis

Impact

A flaw in Keycloak’s UserResource component allows an authenticated user who holds the view-users role to access an administrative endpoint and retrieve user attributes that should be hidden, resulting in the unauthorized disclosure of sensitive data. The vulnerability stems from improper handling of hidden attributes and aligns with CWE‑359, which focuses on unintended disclosure of protected data. This lack of confidentiality can expose personal or organizational information without affecting the system’s integrity or availability.

Affected Systems

The issue affects Red Hat’s build of Keycloak 26.4 and its 26.4.11 sub‑release running on Enterprise Linux 9. Users of these versions that have been granted the view-users role are potentially exposed to the disclosure of hidden attributes.

Risk and Exploitability

The CVSS score of 2.7 indicates a low overall severity, and the EPSS score of less than 1 % suggests that exploitation is unlikely in the wild. The flaw is not listed in the CISA KEV catalog, and because an attacker must be authenticated and possess the view-users role, the attack vector is internal credential‑based. Although it does not lead to code execution or denial of service, the breached confidentiality could affect many users if the system stores sensitive attributes that are meant to remain hidden.

Generated by OpenCVE AI on April 2, 2026 at 15:53 UTC.

Remediation

Vendor Workaround

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.

OpenCVE Recommended Actions

  • Apply the Red Hat security errata RHSA-2026:6477 or RHSA-2026:6478 to upgrade Keycloak to a patched release.
  • After applying the patch, confirm that the administrative endpoint no longer returns hidden user attributes.

Generated by OpenCVE AI on April 2, 2026 at 15:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-xh32-c9wx-phrp Keycloak: Information disclosure of disabled user attributes via administrative endpoint
History

Thu, 02 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:build_keycloak: cpe:/a:redhat:build_keycloak:26.4::el9
References

Fri, 13 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Low

Thu, 12 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Redhat build Of Keycloak
Vendors & Products Redhat build Of Keycloak

Wed, 11 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 11 Mar 2026 06:00:00 +0000

Type Values Removed Values Added
Description A flaw was found in Keycloak. An authenticated user with the view-users role could exploit a vulnerability in the UserResource component. By accessing a specific administrative endpoint, this user could improperly retrieve user attributes that were configured to be hidden. This unauthorized information disclosure could expose sensitive user data.
Title Org.keycloak.services.resources.admin.userresource: keycloak: information disclosure of disabled user attributes via administrative endpoint
First Time appeared Redhat
Redhat build Keycloak
Weaknesses CWE-359
CPEs cpe:/a:redhat:build_keycloak:
Vendors & Products Redhat
Redhat build Keycloak
References
Metrics cvssV3_1

{'score': 2.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Redhat Build Keycloak Build Of Keycloak
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-04-02T16:47:22.731Z

Reserved: 2026-03-11T03:32:12.979Z

Link: CVE-2026-3911

cve-icon Vulnrichment

Updated: 2026-03-11T14:04:02.463Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-11T06:17:15.377

Modified: 2026-04-02T14:16:32.967

Link: CVE-2026-3911

cve-icon Redhat

Severity : Low

Publid Date: 2026-03-11T03:30:00Z

Links: CVE-2026-3911 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T20:23:53Z

Weaknesses