Medium severity4.3NVD Advisory· Published May 19, 2026· Updated Jun 3, 2026
CVE-2026-37981
CVE-2026-37981
Description
A flaw was found in Keycloak. A broken access control vulnerability in the Account Resources user lookup endpoint allows a remote authenticated user, who owns at least one User-Managed Access (UMA) resource, to enumerate and harvest personally identifiable information (PII) for all realm users. By sending crafted requests with arbitrary usernames or email values, the endpoint returns full profile objects for unrelated users. This leads to broad profile-level information disclosure.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1Patches
Vulnerability mechanics
References
4- access.redhat.com/errata/RHSA-2026:19596nvdVendor Advisory
- access.redhat.com/errata/RHSA-2026:19597nvdVendor Advisory
- access.redhat.com/security/cve/CVE-2026-37981nvdVendor Advisory
- bugzilla.redhat.com/show_bug.cginvdVendor Advisory
News mentions
0No linked articles in our index yet.