Medium severity4.3NVD Advisory· Published Mar 26, 2026· Updated Apr 2, 2026
CVE-2026-3190
CVE-2026-3190
Description
A flaw was found in Keycloak. The User-Managed Access (UMA) 2.0 Protection API endpoint for permission tickets fails to enforce the uma_protection role check. This allows any authenticated user with a token issued for a resource server client, even without the uma_protection role, to enumerate all permission tickets in the system. This vulnerability partial leads to information disclosure.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.keycloak:keycloak-server-spi-privateMaven | < 26.5.6 | 26.5.6 |
org.keycloak:keycloak-servicesMaven | < 26.5.6 | 26.5.6 |
org.keycloak:keycloak-model-jpaMaven | < 26.5.6 | 26.5.6 |
Affected products
4- cpe:2.3:a:redhat:build_of_keycloak:-:*:*:*:-:*:*:*
- ghsa-coords3 versionspkg:maven/org.keycloak/keycloak-model-jpapkg:maven/org.keycloak/keycloak-server-spi-privatepkg:maven/org.keycloak/keycloak-services
< 26.5.6+ 2 more
- (no CPE)range: < 26.5.6
- (no CPE)range: < 26.5.6
- (no CPE)range: < 26.5.6
Patches
Vulnerability mechanics
References
8- access.redhat.com/security/cve/CVE-2026-3190nvdVendor AdvisoryWEB
- bugzilla.redhat.com/show_bug.cginvdIssue TrackingVendor AdvisoryWEB
- github.com/advisories/GHSA-q35r-vvhv-vx5hghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-3190ghsaADVISORY
- access.redhat.com/errata/RHSA-2026:6477nvdWEB
- access.redhat.com/errata/RHSA-2026:6478nvdWEB
- github.com/keycloak/keycloak/commit/f1baf25cbb1551202570f954102eb2d270ab0694ghsaWEB
- github.com/keycloak/keycloak/issues/46723ghsaWEB
News mentions
0No linked articles in our index yet.