Medium severity4.9NVD Advisory· Published May 19, 2026· Updated Jun 3, 2026
CVE-2026-37978
CVE-2026-37978
Description
A flaw was found in Keycloak. A low-privilege administrator with the 'view-clients' role can exploit this by invoking the 'evaluate-scopes' Admin API endpoints with an arbitrary user ID (userId) parameter. This vulnerability allows for cross-role personally identifiable information (PII) leakage, enabling unauthorized visibility into user identities and authorizations across the realm. Exploitation is possible remotely via network access to the Admin API.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.keycloak:keycloak-servicesMaven | < 26.6.2 | 26.6.2 |
Affected products
5(expand)+ 1 more
- (no CPE)
- cpe:2.3:a:redhat:build_of_keycloak:*:*:*:*:*:*:*:*range: <26.4.12
Patches
Vulnerability mechanics
References
8- access.redhat.com/errata/RHSA-2026:19596nvdVendor AdvisoryWEB
- access.redhat.com/errata/RHSA-2026:19597nvdVendor AdvisoryWEB
- access.redhat.com/security/cve/CVE-2026-37978nvdVendor AdvisoryWEB
- bugzilla.redhat.com/show_bug.cginvdVendor AdvisoryWEB
- github.com/advisories/GHSA-rrv7-3mqf-hxfrghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-37978ghsaADVISORY
- github.com/keycloak/keycloak/commit/492d1f04cdad425dadb9d5e1faa94dd17a875573ghsaWEB
- github.com/keycloak/keycloak/commit/ba9a18744dcec2ef46f284d25c1c0aa1c962a500ghsaWEB
News mentions
0No linked articles in our index yet.