QSearchQSearch

CVE-2026-37981

4.3 MEDIUM

A flaw was found in Keycloak

Published: 2026-05-19 · Last updated: 2026-06-03

Severity and scoring

CVSS
4.3 MEDIUM
Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CWE
CWE-1220

Affected products

VendorProduct
redhatbuild_of_keycloak

Description

A flaw was found in Keycloak. A broken access control vulnerability in the Account Resources user lookup endpoint allows a remote authenticated user, who owns at least one User-Managed Access (UMA) resource, to enumerate and harvest personally identifiable information (PII) for all realm users. By sending crafted requests with arbitrary usernames or email values, the endpoint returns full profile objects for unrelated users. This leads to broad profile-level information disclosure.

Source: NVD

References

Related CVEs

Same vendor

  • CVE-2026-50259 A stack-based buffer overflow flaw was found in the X.Org X server and Xwayland (7.8 HIGH)
  • CVE-2026-50258 A stack-based buffer overflow flaw was found in the X.Org X server and Xwayland (7.8 HIGH)
  • CVE-2026-50257 A use-after-free flaw was found in the X.Org X server and Xwayland in miSyncDestroyFence() (7.8 HIGH)
  • CVE-2026-50256 A stack-based buffer overflow flaw was found in the X.Org X server and Xwayland (7.8 HIGH)
  • CVE-2026-1784 The Route OpenShift resource allows to define routes to make pods reachable at a subdomain through HAProxy (8.8 HIGH)

Same CWE

  • CVE-2026-9088 A flaw was found in org.keycloak.services (2.7 LOW)
  • CVE-2021-46747 Insufficient granularity of access control in ASP (AMD Secure Processor) may allow an attacker with an untrusted user space application t...
  • CVE-2026-40365 Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network (8.8 HIGH)
  • CVE-2026-35436 Use after free in Microsoft Office allows an authorized attacker to elevate privileges locally (8.8 HIGH)
  • CVE-2022-36110 Netmaker makes networks with WireGuard (8.8 HIGH)