VYPR
Medium severity4.3NVD Advisory· Published Mar 26, 2026· Updated Apr 2, 2026

CVE-2026-3190

CVE-2026-3190

Description

A flaw was found in Keycloak. The User-Managed Access (UMA) 2.0 Protection API endpoint for permission tickets fails to enforce the uma_protection role check. This allows any authenticated user with a token issued for a resource server client, even without the uma_protection role, to enumerate all permission tickets in the system. This vulnerability partial leads to information disclosure.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.keycloak:keycloak-server-spi-privateMaven
< 26.5.626.5.6
org.keycloak:keycloak-servicesMaven
< 26.5.626.5.6
org.keycloak:keycloak-model-jpaMaven
< 26.5.626.5.6

Affected products

4

Patches

Vulnerability mechanics

References

8

News mentions

0

No linked articles in our index yet.