Description
A flaw was found in Keycloak. An authenticated user with the view-users role could exploit a vulnerability in the UserResource component. By accessing a specific administrative endpoint, this user could improperly retrieve user attributes that were configured to be hidden. This unauthorized information disclosure could expose sensitive user data.
Published: 2026-03-11
Score: 2.7 Low
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Monitor
AI Analysis

Impact

A flaw exists in Keycloak’s UserResource component. An attacker who is authenticated and holds the view‑users role can hit a specific administrative endpoint and improperly retrieve user attributes that were configured to be hidden. This results in the confidential disclosure of sensitive user data. The vulnerability is a classic example of information leakage (CWE‑359).

Affected Systems

Affected product is Red Hat Build of Keycloak, identified by CPE cpe:/a:redhat:build_keycloak:. No specific affected versions are listed in the provided data, so the vulnerability may apply to all installations of the product as currently shipped.

Risk and Exploitability

The CVSS score is 2.7, indicating low severity, and the EPSS score is below 1%, suggesting a very low likelihood of exploitation in the wild. The issue is not listed in the CISA KEV catalog. Exploitation requires the attacker to already be authenticated with a user that has the view‑users role, implying that the threat surface is limited to environments where this role is granted. The primary risk is that sensitive user attributes may be exposed to an unauthorized administrator.

Generated by OpenCVE AI on March 17, 2026 at 16:37 UTC.

Remediation

Vendor Workaround

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.

OpenCVE Recommended Actions

  • Check for and apply any available updates or patches from Red Hat for Build of Keycloak.
  • If no update is available, restrict the view‑users role to only trusted accounts or remove the ability to access the affected administrative endpoint.
  • Monitor system logs for unauthorized access attempts to the administrative endpoint.

Generated by OpenCVE AI on March 17, 2026 at 16:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-xh32-c9wx-phrp Keycloak: Information disclosure of disabled user attributes via administrative endpoint
History

Thu, 02 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:build_keycloak: cpe:/a:redhat:build_keycloak:26.4::el9
References

Fri, 13 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Low

Thu, 12 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Redhat build Of Keycloak
Vendors & Products Redhat build Of Keycloak

Wed, 11 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 11 Mar 2026 06:00:00 +0000

Type Values Removed Values Added
Description A flaw was found in Keycloak. An authenticated user with the view-users role could exploit a vulnerability in the UserResource component. By accessing a specific administrative endpoint, this user could improperly retrieve user attributes that were configured to be hidden. This unauthorized information disclosure could expose sensitive user data.
Title Org.keycloak.services.resources.admin.userresource: keycloak: information disclosure of disabled user attributes via administrative endpoint
First Time appeared Redhat
Redhat build Keycloak
Weaknesses CWE-359
CPEs cpe:/a:redhat:build_keycloak:
Vendors & Products Redhat
Redhat build Keycloak
References
Metrics cvssV3_1

{'score': 2.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Redhat Build Keycloak Build Of Keycloak
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-04-02T13:59:06.533Z

Reserved: 2026-03-11T03:32:12.979Z

Link: CVE-2026-3911

cve-icon Vulnrichment

Updated: 2026-03-11T14:04:02.463Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-11T06:17:15.377

Modified: 2026-04-02T14:16:32.967

Link: CVE-2026-3911

cve-icon Redhat

Severity : Low

Publid Date: 2026-03-11T03:30:00Z

Links: CVE-2026-3911 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T14:37:49Z

Weaknesses