CVE-2026-37981

Vulnerability

A broken access control vulnerability exists in Keycloak's Account Resources user lookup endpoint. The flaw lies in the validation logic that only verifies that a User-Managed Access (UMA) resource ID belongs to the calling user, but does not enforce any relationship between that resource and the user being queried. By sending crafted requests with arbitrary usernames or email values, the endpoint returns full profile objects for unrelated users. This issue affects Keycloak versions prior to 26.4.12 [1][2][3][4].

Exploitation

An attacker must be a remote authenticated user who owns at least one UMA resource. No special network position or user interaction beyond authentication is required. The attacker can systematically send requests to the user lookup endpoint, providing arbitrary usernames or email addresses. The endpoint will return the full profile (ID, username, name, email, status) for each queried user, allowing efficient enumeration of all realm users [1][2][4].

Impact

Successful exploitation leads to broad profile-level information disclosure. The attacker harvests personally identifiable information (PII) such as usernames, full names, email addresses, and account status for every user in the realm. No privileged access is gained, but the confidentiality of user profile data is compromised [1][2][3][4].

Mitigation

The vulnerability is fixed in Keycloak version 26.4.12. Both the standalone server packages and container images for OpenShift have been released as security updates on 2026-05-20 [2][3]. Users should upgrade to the fixed version; no workaround is documented [2][3][4].